Description of problem: Installing Packstack changes the sshd config file. In doing so, it removes settings that allow sshd to respond to GSSAPI (Kerberos) authentication, breaking single sign on. Version-Release number of selected component (if applicable): openstack-packstack-2015.1 How reproducible: Always Steps to Reproduce: 1.Install and register machine as IPA client 2.Install packstack and run 3.attemtpt to ssh to machine using TGT Actual results: Prompted for Password Expected results: Connection succeeds with not password prompt. Additional info: Following values are removed from /etc/ssh/sshd_config GSSAPIAuthentication yes GSSAPICleanupCredentials no IN addition, changes are made that remove the following values that should be left in place: UsePrivilegeSeparation sandbox AuthorizedKeysFile .ssh/authorized_keys AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS
While this doesn't address the contents that the current method is adding/removing it might be worth considering that the use of augeasproviders' ssh puppet module. This allows a bit more precise modification of the specific necessary values without necessarily stomping on local configurations that can be just as necessary. https://github.com/hercules-team/augeasproviders_ssh This can also make it easy for the user to add their own local changes for things not currently parametrized via packstack and its modules.
The puppet-swift module requires this ssh Puppet module, but it can be fixed from the Packstack side by not including ssh::server::install in the manifest. Proposed https://review.openstack.org/176351 as a fix.
It looks like some fixes in puppet-swift are required, too. Opened https://bugs.launchpad.net/puppet-swift/+bug/1447259 to get some feedback from the community.
https://review.openstack.org/176432 proposed from the puppet-swift side.