Bug 1105114

Summary: openssh: keycat from openssh-server in RHEL-6 is distributed as a subpackage openssh-keycat
Product: Red Hat Enterprise Linux 6 Reporter: Patrik Kis <pkis>
Component: preupgrade-assistant-contentsAssignee: Petr Stodulka <pstodulk>
Status: CLOSED ERRATA QA Contact: Tereza Cerna <tcerna>
Severity: high Docs Contact:
Priority: high    
Version: 6.7CC: amahdal, fkluknav, jkurik, ovasik, phracek, pkis, plautrba, pstodulk, ttomecek
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Feature: Preupgrade assistant detects openssh-keycat and gives warning about new openssh-keycat package.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-24 08:39:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrik Kis 2014-06-05 12:28:39 UTC 
Description of problem:
Part of the content of openssh-server package moved to openssh-keycat in RHEL-7.0. I can see two possible solutions for this:
1/ openssh-keycat should be installed by upgrade tool automatically if openssh-server is installed on RHEL-6.O
 + we can be sure that nothing will be missing after the upgrade
 - if customer did not use keycat in RHEL-6 there will be an extra package installed 
2/ warn customer about the risk
 + no extra package installed if not used
 - customer may overlook the warning

I'm personally inclined to the first solution.

Version-Release number of selected component (if applicable):
preupgrade-assistant-contents-users-0.5.9-1.el6.noarch
preupgrade-assistant-1.0.2-24.el6.x86_64

How reproducible:
always

Steps to Reproduce:

RHEL-6:
# rpm -q openssh-server
openssh-server-5.3p1-94.el6.x86_64
# rpm -ql openssh-server |grep keycat
/etc/pam.d/ssh-keycat
/usr/libexec/openssh/ssh-keycat
/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat


RHEL-7.0:
[root@rhel7 ~ ]# rpm -q openssh-keycat
openssh-keycat-6.4p1-8.el7.x86_64
[root@rhel7 ~ ]# rpm -ql openssh-keycat
/etc/pam.d/ssh-keycat
/usr/libexec/openssh/ssh-keycat
/usr/share/doc/openssh-keycat-6.4p1
/usr/share/doc/openssh-keycat-6.4p1/HOWTO.ssh-keycat
[root@rhel7 ~ ]#
Comment 1 Ondrej Vasik 2014-06-05 12:45:19 UTC 
Adding Petr to cc... Petr, what do you think? Should we create module for it? If so, I tend to option 2, with medium risk informing user about the package split - so he can install it after upgrade, if keycat was in use on his system.
Comment 2 Petr Lautrbach 2014-06-05 12:58:56 UTC 
If users followed HOWTO.ssh-keycat, they would be also affected by the change of AuthorizedKeysCommandRunAs from rhel-6 to AuthorizedKeysCommandUser in rhel-7 which is already covered by the content. So I personally would use option 2 - warn users about the change and let them install openssh-keycat package after upgrade, or maybe there can be a check if there's 'AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat' in the original sshd_config, install openssh-keycat during postupgrade phase.
Comment 3 Patrik Kis 2014-06-05 13:46:30 UTC 
(In reply to Petr Lautrbach from comment #2)

> or maybe there can be a
> check if there's 'AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat' in
> the original sshd_config, install openssh-keycat during postupgrade phase.

IMHO this is a good idea. Why don't automate if we can.
And if there is no AuthorizedKeysCommand in sshd_config, we could warn. Although, I don't know where else ssh-keycat can be used.
Comment 8 Petr Stodulka 2014-10-27 11:52:36 UTC 
For application of this content you need install openssh-server..
When you have set "AuthorizedKeysCommand /usr/libexec/openssh/ssh-keycat" inside /etc/ssh/sshd_config, openssh-keycat should be installed automatically on rhel-7 system by postupgrade script and content should be marked as "FIXED" with slight risk with message. In other case warning message will be printed with medium risk and openssh-keycat shouldn't be installed on RHEL-7 system.
Comment 9 Frantisek Kluknavsky 2014-11-12 11:44:58 UTC 
Merged to contents by commit http://git.app.eng.bos.redhat.com/git/preupgrade-assistant-contents.git/commit/?id=103ab330bb75b750182aeb6ec3bd61d79c0465c1
Comment 16 errata-xmlrpc 2015-02-24 08:39:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0262.html