Bug 1528072

Summary: Don't overwrite sshd_config
Product: Red Hat OpenStack Reporter: Shinobu KINJO <skinjo>
Component: puppet-tripleoAssignee: RHOS Maint <rhos-maint>
Status: CLOSED NOTABUG QA Contact: nlevinki <nlevinki>
Severity: high Docs Contact:
Priority: high    
Version: 8.0 (Liberty)CC: aschultz, emacchi, jjoyce, jschluet, skinjo, slinaber, tvignaud
Target Milestone: ---Keywords: Reopened, Triaged, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-18 18:52:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Emilien Macchi 2017-12-21 17:13:13 UTC 
It's not a problem, it's a feature. We backported a CVE to secure Libvirt and enable SSH auth between compute nodes, for live migration.
If the ssh options don't work for you, you can override them with SshServerOptions parameter.

Example: https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/puppet/services/sshd.yaml#L41-L61

Please re-open the bug if needed.
Comment 3 Emilien Macchi 2017-12-30 23:40:56 UTC 
I don't think it has to do with the version of openssh. The issue is that:

- before you managed the sshd_config yourself for your own needs
- now, the file is managed by Puppet, but there is an interface that you can use to configure your own needs.

So please, tell us what parameters you need and we'll help you to feed a value to this parameter:
https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/puppet/services/sshd.yaml#L41-L61
Comment 4 Emilien Macchi 2018-01-08 21:03:49 UTC 
Please see my comment #3
Comment 9 Emilien Macchi 2018-01-24 01:16:18 UTC 
Like I said, the ssh_config can be overridden via SshServerOptions. Please tell us what you can't do with SshServerOptions otherwise I'll close the bug.
Comment 10 Alex Schultz 2018-06-18 18:52:16 UTC 
Closing this out as it is currently configurable using the hieradata_overrides file to specify tripleo::profile::base::sshd::options using the structure mentioned like in https://github.com/openstack/tripleo-heat-templates/blob/107b610923ba5d39f90c3a6a63bf2d3642e1b35d/puppet/services/sshd.yaml#L41-L61