From 4f126a938be4134285f47df588a861d842df2ed6 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Fri, 20 Feb 2026 15:45:34 -0500 Subject: [PATCH] fix: persist SSH host keys on home PVC to avoid known_hosts warnings On first boot, generated host keys are saved to ~/.ssh/host_keys/ on the persistent home PVC. On subsequent boots they are restored, so SSH clients never see a "host key changed" warning after a pod restart. Co-Authored-By: Claude Sonnet 4.6 --- scripts/cont-init-sshd.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/scripts/cont-init-sshd.sh b/scripts/cont-init-sshd.sh index efe69f2..62d77d0 100644 --- a/scripts/cont-init-sshd.sh +++ b/scripts/cont-init-sshd.sh @@ -5,12 +5,30 @@ echo "=== SSH enabled: starting sshd ===" -# Generate host keys if missing (first boot or ephemeral /etc/ssh) -ssh-keygen -A 2>/dev/null || true +HOME_DIR="/home/user" +HOST_KEY_STORE="$HOME_DIR/.ssh/host_keys" + +# Persist host keys on the home PVC so clients don't see a "host key +# changed" warning after pod restarts. +if [ -d "$HOST_KEY_STORE" ] && [ -n "$(ls "$HOST_KEY_STORE"/ssh_host_* 2>/dev/null)" ]; then + # Restore previously generated host keys + echo "Restoring SSH host keys from PVC..." + cp "$HOST_KEY_STORE"/ssh_host_* /etc/ssh/ + chmod 600 /etc/ssh/ssh_host_*_key + chmod 644 /etc/ssh/ssh_host_*_key.pub +else + # First boot: generate and save host keys to PVC + echo "Generating SSH host keys (first boot)..." + ssh-keygen -A 2>/dev/null || true + mkdir -p "$HOST_KEY_STORE" + cp /etc/ssh/ssh_host_* "$HOST_KEY_STORE/" + chmod 700 "$HOST_KEY_STORE" + chown -R 1000:1000 "$HOST_KEY_STORE" + echo "SSH host keys saved to PVC." +fi # Populate authorized_keys from env var (injected via Kubernetes secret) if [ -n "$SSH_AUTHORIZED_KEYS" ]; then - HOME_DIR="/home/user" mkdir -p "$HOME_DIR/.ssh" chmod 700 "$HOME_DIR/.ssh" printf '%s\n' "$SSH_AUTHORIZED_KEYS" > "$HOME_DIR/.ssh/authorized_keys"