Bug 2052086

Summary: sshd system role should be able to optionally manage /etc/ssh/sshd_config on RHEL 9
Product: Red Hat Enterprise Linux 9 Reporter: Brian Smith <briasmit>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Jakub Haruda <jharuda>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 9.0CC: gfialova, jharuda, jjelen, nhosoi, rmeggins, spetrosi
Target Milestone: rcKeywords: Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:sshd
Fixed In Version: rhel-system-roles-1.19.2-1.el9 Doc Type: Enhancement
Doc Text:
.The `sshd` RHEL System Role can be managed through `/etc/ssh/sshd_config` The `sshd` RHEL System Role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (`/etc/ssh/sshd_config.d/00-ansible_system_role.conf` by default). Previously, any changes to the `/etc/ssh/sshd_config` file overwrote the default values in `00-ansible_system_role.conf`. With this update, you can manage SSHD by using `/etc/ssh/sshd_config` instead of `00-ansible_system_role.conf` while preserving the system default values in `00-ansible_system_role.conf`.
 Story Points: ---
Clone Of:
: 2086935 (view as bug list) Environment:
Last Closed: 2022-11-15 10:22:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2086935    

Description Brian Smith 2022-02-08 16:43:32 UTC 
Description of problem:
The sshd RHEL System Role, when run on a RHEL 9 managed node, by default places the configuration in /etc/ssh/sshd_config.d/00-ansible_system_role.conf.  Customers should be able to optionally manage the /etc/ssh/sshd_config file on RHEL 9 instead of using 00-ansible_system_role.conf


Version-Release number of selected component (if applicable):
RHEL 9 beta

How reproducible:
Every time

Steps to Reproduce:
1. Run playbook similar to this on RHEL 9 beta:
- hosts: localhost
  become: true

  roles:
    - role: redhat.rhel_system_roles.sshd
      vars:
        sshd_config_file: /etc/ssh/sshd_config
        sshd_skip_defaults: false
        sshd:
          PermitRootLogin: no

Actual results:
Generated /etc/ssh/sshd_config file:

# cat /etc/ssh/sshd_config
#
# Ansible managed
#
PermitRootLogin no

Expected results:
I would expect the role to populate the sshd_config file with the RHEL 9 default sshd_config settings, plus the PermitRootLogin setting that I specified.
Comment 1 Jakub Jelen 2022-05-02 18:43:23 UTC 
This should be fixed with the following upstream PR: https://github.com/willshersystems/ansible-sshd/pull/178 (as part of the other related change from #2052081)

Feedback/testing/comments welcomed.
Comment 3 Jakub Jelen 2022-05-17 07:02:27 UTC 
This used case is covered with the upstream test tests/tests_alternative_file.yml
Comment 12 errata-xmlrpc 2022-11-15 10:22:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:8117