Skip to content

Installation on Proxmox 8.x

Jump to bottom Edit New page
Justin Clift edited this page May 16, 2024 · 8 revisions

Rough notes on how to install hpn-ssh on Proxmox 8.x x86_64

This page assumes you have a fresh install of Proxmox 8.x, and are able to log in directly as the root user over ssh.

Note - make sure you've created the Proxmox cluster for your nodes first, as installing hpn-ssh before establishing the cluster can screw things up. 😉

Add the hpn-ssh repository

Install GPG

# apt install -y gpg

Add the signing key for the hpn-ssh repository

# wget -q "https://download.opensuse.org/repositories/home:/rapier1/Debian_12/Release.key" \
    -O - | gpg --dearmor > /usr/share/keyrings/rapier1-hpnssh.gpg

Add the hpn-ssh repository

# cat << EOF > /etc/apt/sources.list.d/hpnssh.sources
Types: deb
URIs: https://download.opensuse.org/repositories/home:/rapier1/Debian_12/
Suites: /
Signed-By: /usr/share/keyrings/rapier1-hpnssh.gpg
EOF

Refresh the list of apt packages available to install

# apt update

Install hpn-ssh packages

# apt install -y hpnssh-server

Post-installation configuration

Create the link to the Proxmox centralised known_hosts file

# cd /etc/hpnssh
# ln -s /etc/pve/priv/known_hosts ssh_known_hosts
# cd /root/.ssh
# ln -s /etc/pve/priv/known_hosts known_hosts

You'll probably want to copy the keys from the ssh install across to hpn-ssh, so minimise connectivity problems from other machines

# systemctl stop hpnssh
# rm /etc/hpnssh/*key /etc/hpnssh/*pub
# cp /etc/ssh/*key /etc/ssh/*pub /etc/hpnssh/
# systemctl start hpnssh
# systemctl enable hpnssh

And you'll probably want to disable standard ssh + have hpnssh listen on the standard ssh port as well

# systemctl stop ssh
# systemctl disable ssh
# systemctl mask ssh   # <-- without masking it, it seems to start up anyway
# echo "Port 22" > /etc/hpnssh/sshd_config.d/port_22.conf
# systemctl restart hpnssh

Verify that hpn-ssh is now listening on both port 22 and port 2222:

# ss -nltp | grep 22
LISTEN 0      128          0.0.0.0:22        0.0.0.0:*    users:(("hpnsshd",pid=6633,fd=5))                                                                                                        
LISTEN 0      128          0.0.0.0:2222      0.0.0.0:*    users:(("hpnsshd",pid=6633,fd=3))                                                                                                        
LISTEN 0      128             [::]:22           [::]:*    users:(("hpnsshd",pid=6633,fd=6))                                                                                                        
LISTEN 0      128             [::]:2222         [::]:*    users:(("hpnsshd",pid=6633,fd=4))

Switch to using aes256-ctr by default:

# mv /root/.ssh/config /root/.ssh/config-orig
# echo "Ciphers aes256-ctr" > /root/.ssh/config
# chmod 640 /root/.ssh/config

You should now be able to log out, and back in via ssh, with hpn-ssh having transparently taken over the duties of the ssh daemon.

Potentially dangerous stuff below here

You can replace the existing ssh client commands with their hpn-ssh equivalent, which will then be used by Proxmox for transferring disk snapshots, live migrations (etc) between the nodes:

This will probably break future upgrades of the ssh package though, so maybe don't do it in production environments unless you're ok with that and can fix things.

Move the original ssh commands aside

# cd /bin
# for i in ssh-argv0 ssh-keyscan ssh-keygen ssh-agent ssh-add ssh sftp scp; do
#  mv $i $i-orig
# done
# rm slogin
# ln -s ssh-orig slogin-orig

Switch in the hpn-ssh commands

# ln -s hpnssh-argv0 ssh-argv0
# ln -s hpnssh-keyscan ssh-keyscan
# ln -s hpnssh-keygen ssh-keygen
# ln -s hpnssh-agent ssh-agent
# ln -s hpnssh-add ssh-add
# ln -s hpnssh ssh
# ln -s hpnssh slogin
# ln -s hpnsftp sftp
# ln -s hpnscp scp

VERY dangerous stuff below this. DO NOT do this in a security sensitive environment

Important

If you're just trying to increase VM migration speeds, and you don't need to worry about security, then Proxmox already has an "insecure" option available without needing to use the none cipher.

To enable insecure migrations, add this to your /etc/pve/datacenter.cfg:

migration: type=insecure,network=1.2.3.0/24

Make sure you change the network address on that line to be correct for your setup.

With that enabled, transfers go much faster:

2024-04-20 13:37:47 migration active, transferred 88.8 GiB of 120.0 GiB VM-state, 1.8 GiB/s
2024-04-20 13:37:48 migration active, transferred 90.4 GiB of 120.0 GiB VM-state, 1.9 GiB/s
2024-04-20 13:37:49 migration active, transferred 91.9 GiB of 120.0 GiB VM-state, 2.0 GiB/s
2024-04-20 13:37:50 migration active, transferred 93.4 GiB of 120.0 GiB VM-state, 1.9 GiB/s
2024-04-20 13:37:51 migration active, transferred 95.0 GiB of 120.0 GiB VM-state, 2.0 GiB/s

Enabling the "none" cipher (no encryption) on the server

# echo "NoneEnabled yes" > /etc/hpnssh/sshd_config.d/none_cipher.conf
# echo "NoneMacEnabled yes" >> /etc/hpnssh/sshd_config.d/none_cipher.conf
# systemctl restart hpnssh

Blanket override of ssh to use the "none" cipher

Caution

This will TURN OFF over the wire encryption when this Proxmox server sends stuff to other hpn-ssh hosts.

If you do this in an environment where security is important, you could very well be fired. Not joking.

# mv /bin/ssh /bin/ssh.2
# echo '#!/bin/env sh' > /bin/ssh
# echo '' >> /bin/ssh
# echo 'hpnssh -oNoneEnabled=yes -oNoneSwitch=yes $@' >> /bin/ssh
# chmod +x /bin/ssh
Add a custom footer
Add a custom sidebar
Clone this wiki locally