Bug 1910412
Summary: | [RFE] Extend the ssh_args inside /etc/foreman-proxy/ansible.cfg file to have ansible required default values in Satellite 6 | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Sayan Das <saydas> |
Component: | Ansible - Configuration Management | Assignee: | Ondřej Ezr <oezr> |
Status: | CLOSED ERRATA | QA Contact: | Danny Synk <dsynk> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.8.0 | CC: | avnkumar, kupadhya, matthew.lesieur, oezr |
Target Milestone: | 6.10.0 | Keywords: | FutureFeature |
Target Release: | Unused | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | foreman-2.3.2 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-16 14:09:38 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sayan Das
2020-12-23 19:10:44 UTC
Created redmine issue https://projects.theforeman.org/issues/31552 from this bug Hmm after checking, this is the default for The fresh Satellite install. But upgrade would not update to this value automatically. I've opened a ticket for that. Hello Ondrez, You are right. * For new Satellite 6.8 installation the default value is the expected value. * For Satellite 6.7 or older that is not applicable. They will still have the old value only. * For satellite's being upgraded from 6.7 to 6.8, they will also still have the old value. -- Sayan Upstream bug assigned to oezr Upstream bug assigned to oezr Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31553 has been resolved. Steps to Test: 1. Starting with a Satellite 6.7 instance, upgrade to Satellite 6.8 and 6.9 via the Red Hat CDN. 2. Register the Satellite 6.9 to internal Satellite compose server. 3. Configure repositories for upgrade to Satellite 6.10. 4. Prepare Satellite for Pulp 2 to Pulp 3 migration: # satellite-maintain prep-6.10-upgrade # satellite-maintain content prepare 5. Upgrade the Satellite to 6.10, snap 7. Expected Results: In /etc/foreman-proxy/ansible.cfg, the `ssh_args` setting has the value `-o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s`. Actual Results: In /etc/foreman-proxy/ansible.cfg, the `ssh_args` setting has the value `-o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s`: # grep ssh_args /etc/foreman-proxy/ansible.cfg ssh_args = -o ProxyCommand=none -C -o ControlMaster=auto -o ControlPersist=60s Verified on Satellite 6.10, snap 7 (foreman-installer-2.5.1-1.el7sat.noarch). I discovered the missing "-o ControlMaster=auto -o ControlPersist=60s" ssh_args settings from /etc/foreman-proxy/ansible.cfg while troubleshooting a problem with our Palo Alto Networks (PAN) Firewall. When SSH connection sharing is off, the PAN firewall was profiling the SSH connections from the Satellite server as a brute-force SSH attack. PAN's description of the triggered threat is: Threat ID: 40015 Application: SSH Name: User Authentication Brute-force Attempt Description: If a session has the same source and destination but triggers our child signature, 31914, 20 times in 60 seconds, we call it is a brute force attack. The child signature, 31914 is alert on every connection on ssh server. I was able to workaround the problem with the ssh_args setting from comment #8. I am running Satellite 6.9.3. Regards Matthew LeSieur Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702 |