On May 2, 2017 at 16:00 CEST, a security flaw was detected in our Proxmox 4 installations.
In order to use Proxmox in a ‘cluster’ configuration (Proxmox VE Cluster), a pair of SSH keys is automatically generated to facilitate communication between the different physical nodes of the cluster.
Our system that generates the distribution (March 16, 2017 at 12:26 CEST) did not correctly those pair of keys, making possible the connection between two client machines.
In order to reduce the attack surface and as a measure of precaution, we used the private key available in the image to remove the public key which corresponds to the authorize keys file found in ‘/etc/pve/priv’. The traditional "/root/.ssh/authorized_keys" file being a symbolic link to the latter.
We are not able to intervene on the Proxmox configurations configured in cluster mode, without disrupting service.
We have logged in your manager our intervention under the reference: 'Remote Intervention OVH for correction Proxmox installation'.
The corrective action taken is not a permanent solution because in order to fully secure your configuration, the new pair of keys must be generated by you. If you restart the ‘pve-cluster’ service (also in case of server reboot), the previous SSH key will be redeployed, making the server vulnerable again.
It is strongly advised that you conduct a complementary analysis of your system.
In order to help you, the following script will secure your infrastructure:
- wget ftp://ftp.ovh.net/made-in-ovh/dedie/proxmox4-fixssh.sh
- chmod +x proxmox4-fixssh.sh
- ./proxmox4-fixssh.sh
貌似大意是:我们发现了Proxmox 4的安全漏洞,并帮您采取了临时补救措施,但是需要你亲自动手才能彻底解决这个问题,解决方法请运行以下命令:
- wget ftp://ftp.ovh.net/made-in-ovh/dedie/proxmox4-fixssh.sh
- chmod +x proxmox4-fixssh.sh
- ./proxmox4-fixssh.sh
各位大神啊!中文大意是这样吗? |
发表于 2017-5-6 18:09:54
楼主