Bug 1902646
Summary: | ssh connection fails due to overly permissive openssh.config file permissions | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Asaf Rachmani <arachman> | ||||
Component: | imgbased | Assignee: | Asaf Rachmani <arachman> | ||||
Status: | CLOSED ERRATA | QA Contact: | Wei Wang <weiwang> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 4.4.3 | CC: | arachman, cshao, dfediuck, lsvaty, mavital, nlevy, peyu, sbonazzo, shlei, weiwang, yaniwang | ||||
Target Milestone: | ovirt-4.4.4 | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | imgbased-1.2.14-0.1.el8ev | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2021-02-03 16:13:15 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | Integration | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1894852 | ||||||
Attachments: |
|
Description
Asaf Rachmani
2020-11-30 09:42:00 UTC
Test with RHVH-4.4-20201210.0-RHVH-x86_64-dvd1.iso The package imgbased-1.2.13-0.1.el8ev.noarch, so QE will verify this issue after dev add the fixed version to RHVH build. imgbased-1.2.14-0.1.el8ev package is now in RHVH-4.4-20201217.0-RHVH-x86_64-dvd1.iso (In reply to Asaf Rachmani from comment #4) > imgbased-1.2.14-0.1.el8ev package is now in > RHVH-4.4-20201217.0-RHVH-x86_64-dvd1.iso Test with RHVH-4.4-20201217.0-RHVH-x86_64-dvd1.iso, hosted engine setup with STIG security profile, QE detect below issue: [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Notify the user about a failure] [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "Host is not up, please check logs, perhaps also on the engine machine"} .... [ INFO ] TASK [ovirt.ovirt.hosted_engine_setup : Notify the user about a failure] [ ERROR ] fatal: [localhost]: FAILED! => {"changed": false, "msg": "The system may not be provisioned according to the playbook results: please check the logs for the issue, fix accordingly or re-deploy from scratch.\n"} ----------- engine.log ----------- 2020-12-18 11:52:07,873+08 ERROR [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-1) [bf22a318-16bc-43c8-81bc-52584955a06b] Failed to authenticate session with host 'hp-dl388g9-04.lab.eng.pek2.redhat.com': SSH authentication to 'root.eng.pek2.redhat.com' failed. Please verify provided credentials. Make sure key is authorized at host 2020-12-18 11:52:07,874+08 WARN [org.ovirt.engine.core.bll.hostdeploy.AddVdsCommand] (default task-1) [bf22a318-16bc-43c8-81bc-52584955a06b] Validation of action 'AddVds' failed for user admin@internal-authz. Reasons: VAR__ACTION__ADD,VAR__TYPE__HOST,$server hp-dl388g9-04.lab.eng.pek2.redhat.com,VDS_CANNOT_AUTHENTICATE_TO_SERVER 2020-12-18 11:52:07,914+08 ERROR [org.ovirt.engine.api.restapi.resource.AbstractBackendResource] (default task-1) [] Operation Failed: [Cannot add Host. SSH authentication failed, verify authentication parameters are correct (Username/Password, public-key etc.) You may refer to the engine.log file for further details.] move it to "ASSIGNED" Created attachment 1740132 [details]
issue log files
I suspect it might be a different issue. Can you please check openssh.config file permission? and if ssh to the localVM works? If so, please open a new bug. (In reply to Asaf Rachmani from comment #7) > I suspect it might be a different issue. > Can you please check openssh.config file permission? and if ssh to the > localVM works? [root@hp-dl388g9-04 ~]# ll /etc/crypto-policies/back-ends/openssh.config -rw-r--r--. 1 root root 480 Dec 22 09:55 /etc/crypto-policies/back-ends/openssh.config [root@hp-dl388g9-04 ~]# virsh -r net-dhcp-leases default | grep -i 52:54:00:5d:21:64 | awk '{ print $5 }' | cut -f1 -d'/' 192.168.222.176 [xxxx@xxx ~]$ ssh root.222.176 --- ssh fail > If so, please open a new bug. After waiting for more minutes, the localvm can be ssh successfully. So open a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1909956 to trace the issue in commnet 5. This bug is fixed, qe will move it to "VERIFIED" afeer dev move it to "ON_QA" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat Virtualization Host security bug fix and enhancement update [ovirt-4.4.4]), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:0401 |