Bug 2086935

Summary: sshd system role should be able to optionally manage /etc/ssh/sshd_config on RHEL 9
Product: Red Hat Enterprise Linux 8 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: David Jež <djez>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 8.7CC: briasmit, djez, jharuda, jjelen, nhosoi, rmeggins, spetrosi
Target Milestone: rcKeywords: Triaged
Target Release: 8.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:sshd
Fixed In Version: rhel-system-roles-1.18.0-1.el8 Doc Type: Enhancement
Doc Text:
.The `sshd` RHEL System Role can be managed through `/etc/ssh/sshd_config` The `sshd` RHEL System Role applied to a RHEL 9 managed node places the SSHD configuration in a drop-in directory (`/etc/ssh/sshd_config.d/00-ansible_system_role.conf` by default). Previously, any changes to the `/etc/ssh/sshd_config` file overwrote the default values in `00-ansible_system_role.conf`. With this update, you can manage SSHD by using `/etc/ssh/sshd_config` instead of `00-ansible_system_role.conf` while preserving the system default values in `00-ansible_system_role.conf`.
 Story Points: ---
Clone Of: 2052086 Environment:
Last Closed: 2022-11-08 09:41:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2052086    
Bug Blocks:    

Description Rich Megginson 2022-05-16 20:10:01 UTC 
+++ This bug was initially created as a clone of Bug #2052086 +++

Description of problem:
The sshd RHEL System Role, when run on a RHEL 9 managed node, by default places the configuration in /etc/ssh/sshd_config.d/00-ansible_system_role.conf.  Customers should be able to optionally manage the /etc/ssh/sshd_config file on RHEL 9 instead of using 00-ansible_system_role.conf


Version-Release number of selected component (if applicable):
RHEL 9 beta

How reproducible:
Every time

Steps to Reproduce:
1. Run playbook similar to this on RHEL 9 beta:
- hosts: localhost
  become: true

  roles:
    - role: redhat.rhel_system_roles.sshd
      vars:
        sshd_config_file: /etc/ssh/sshd_config
        sshd_skip_defaults: false
        sshd:
          PermitRootLogin: no

Actual results:
Generated /etc/ssh/sshd_config file:

# cat /etc/ssh/sshd_config
#
# Ansible managed
#
PermitRootLogin no

Expected results:
I would expect the role to populate the sshd_config file with the RHEL 9 default sshd_config settings, plus the PermitRootLogin setting that I specified.

--- Additional comment from Jakub Jelen on 2022-05-02 18:43:23 UTC ---

This should be fixed with the following upstream PR: https://github.com/willshersystems/ansible-sshd/pull/178 (as part of the other related change from #2052081)

Feedback/testing/comments welcomed.
Comment 4 Jakub Jelen 2022-05-17 07:24:07 UTC 
This used case is covered with the upstream test tests/tests_alternative_file.yml
Comment 12 errata-xmlrpc 2022-11-08 09:41:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:7568