fix: persist SSH host keys on home PVC to avoid known_hosts warnings

On first boot, generated host keys are saved to ~/.ssh/host_keys/ on the persistent home PVC. On subsequent boots they are restored, so SSH clients never see a "host key changed" warning after a pod restart. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 15:45:34 -05:00
parent 4af38a5d2e
commit 4f126a938b
1 changed files with 21 additions and 3 deletions
@@ -5,12 +5,30 @@

 echo "=== SSH enabled: starting sshd ==="

-# Generate host keys if missing (first boot or ephemeral /etc/ssh)
-ssh-keygen -A 2>/dev/null || true
+HOME_DIR="/home/user"
+HOST_KEY_STORE="$HOME_DIR/.ssh/host_keys"
+
+# Persist host keys on the home PVC so clients don't see a "host key
+# changed" warning after pod restarts.
+if [ -d "$HOST_KEY_STORE" ] && [ -n "$(ls "$HOST_KEY_STORE"/ssh_host_* 2>/dev/null)" ]; then
+    # Restore previously generated host keys
+    echo "Restoring SSH host keys from PVC..."
+    cp "$HOST_KEY_STORE"/ssh_host_* /etc/ssh/
+    chmod 600 /etc/ssh/ssh_host_*_key
+    chmod 644 /etc/ssh/ssh_host_*_key.pub
+else
+    # First boot: generate and save host keys to PVC
+    echo "Generating SSH host keys (first boot)..."
+    ssh-keygen -A 2>/dev/null || true
+    mkdir -p "$HOST_KEY_STORE"
+    cp /etc/ssh/ssh_host_* "$HOST_KEY_STORE/"
+    chmod 700 "$HOST_KEY_STORE"
+    chown -R 1000:1000 "$HOST_KEY_STORE"
+    echo "SSH host keys saved to PVC."
+fi

 # Populate authorized_keys from env var (injected via Kubernetes secret)
 if [ -n "$SSH_AUTHORIZED_KEYS" ]; then
-    HOME_DIR="/home/user"
    mkdir -p "$HOME_DIR/.ssh"
    chmod 700 "$HOME_DIR/.ssh"
    printf '%s\n' "$SSH_AUTHORIZED_KEYS" > "$HOME_DIR/.ssh/authorized_keys"