Bug 1383256

Summary: [RFE] Allow remote execution for non-root users
Product: Red Hat Satellite Reporter: Barbora Vassova <bvassova>
Component: Remote ExecutionAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.0CC: bbuckingham, bvassova, inecas
Target Milestone: UnspecifiedKeywords: FutureFeature, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-11 15:35:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Barbora Vassova 2016-10-10 09:56:37 UTC
Business Case: 
Customer (due to security reasons) wants to have the PermitRootLogin parameter in /etc/ssh/sshd_config on a host machine set to false - however this disables remote execution, since even if effective user is a non-root user, Satellite connects to the root user on the client machine. Customer would like to have an option to remotely execute commands as a non-root user, completely avoiding using root. 

Technical Requirements:
PermitRootLogin parameter in /etc/ssh/sshd_config on a client machine could be set to false

Additional information: 
n/a

Comment 1 Brad Buckingham 2016-10-13 18:40:30 UTC
Bug 1376772 raises a similar concern.

Comment 4 references the following documentation:
https://access.redhat.com/documentation/en/red-hat-satellite/6.2/paged/host-configuration-guide/113-configuring-global-settings

Would that support the customer's need?

Comment 2 Barbora Vassova 2016-10-14 07:17:51 UTC
Afaik, no - the effective user option is only like a "mask" - it still connects to root. If you disable root login on host machine (which is what they want to do), remote execution will not work at all.

Comment 3 Ivan Necas 2016-10-17 16:23:04 UTC
There are two options there: remote_execution_ssh_user and remote_execution_effective_user. The `remote_execution_ssh_user` should allow to use non-root user for the remote execution. Can you confirm we are talking about this option?

Comment 4 Barbora Vassova 2016-11-11 15:35:40 UTC
The "remote_execution_ssh_user" option worked, thank you!