1611043 – Undercloud should have RHEL default sshd_config

Bug 1611043 - Undercloud should have RHEL default sshd_config

Summary: Undercloud should have RHEL default sshd_config

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	instack-undercloud
Sub Component:
Version:	13.0 (Queens)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z2
Target Release:	13.0 (Queens)
Assignee:	Cédric Jeanneret
QA Contact:	Gurenko Alex
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1615260
TreeView+	depends on / blocked

Reported:	2018-08-02 01:54 UTC by Keigo Noha
Modified:	2021-12-10 16:56 UTC (History)
CC List:	8 users (show)
Fixed In Version:	instack-undercloud-8.4.3-4.el7ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1615260 (view as bug list)
Environment:
Last Closed:	2018-08-29 16:39:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-11509	0	None	None	None	2021-12-10 16:56:28 UTC
Red Hat Product Errata	RHBA-2018:2574	0	None	None	None	2018-08-29 16:40:05 UTC

Description Keigo Noha 2018-08-02 01:54:19 UTC

Description of problem:
Undercloud should have RHEL default sshd_config

Current RHEL default sshd_config configuration is below.
~~~
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
~~~

On the other hand, after undercloud installation, sshd_config is changed to
~~~
# cat /etc/ssh/sshd_config
# File is managed by Puppet
Port 22

AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes
~~~

Especially SyslogFacility will change the target of log ouput from /var/log/secure to /var/log/messages.
This kind of change will make support and user confused.

Version-Release number of selected component (if applicable):
Current puppet-tripleo

How reproducible:
Every time after undercloud is deployed and restarted.

Steps to Reproduce:
0. Confirm current sshd_config.
1. Install and restart Undercloud.
2. Confirm the change of sshd_config and /var/log/mesasges has sshd logs.
3.

Actual results:
sshd logs is written to /var/log/messages.

Expected results:
sshd logs should be written to /var/log/secure as RHEL's default configuration does

Comment 1 Cédric Jeanneret 2018-08-06 14:53:57 UTC

Hello,

Apparently something has already been done on that field, and has even been backported to previous versions:

https://review.openstack.org/#/q/I1d09530d69e42c0c36311789166554a889e46556
https://review.openstack.org/#/q/Ie2e01d93082509b8ede37297067eab03bb1ab06e

Care to provide your package version, especially for that one:
openstack-tripleo-heat-templates

Thank you!

Cheers,

C.

Comment 2 Keigo Noha 2018-08-09 02:36:49 UTC

Hello Cédric,

My testing environment uses openstack-tripleo-heat-templates-8.0.2-43.el7ost.noarch.

In overcloud, the sshd_config doens't have the same issue.
Undercloud has the issue in sshd_config.

Best Regards,
Keigo Noha

Comment 3 Cédric Jeanneret 2018-08-09 05:59:33 UTC

Hello Keigo,

Thank you for the precisions. Apparently also hitting openstack-tripleo-heat-templates-8.0.4-16.el7ost.noarch - I'll probably need to cherry-pick the commits I mentioned in my previous comment.

I keep you updated.

Cheers,

C.

Comment 4 Cédric Jeanneret 2018-08-09 08:19:30 UTC

Hello Keigo,

After some more struggles, the affected package was wrong - on rhosp-13, the undercloud does not use tripleo-heat-templates as I thought, but "instack-undercloud".

I've proposed an upstream patch:
https://review.openstack.org/#/c/590182/

Once it's merged, I'll cherry-pick it into the relevant branches, and push it downstream for rhosp-13.

It will hence take some time, as it must pass multiple validations.

Thank you for your patience.

Cheers,

C.

Comment 5 Cédric Jeanneret 2018-08-13 13:25:25 UTC

Hello,

A package has been issued in rhosp-13 for testing.

Lemme know if this one solves your current issue.

Cheers,

C.

Comment 12 Joanne O'Flynn 2018-08-15 07:39:37 UTC

This bug is marked for inclusion in the errata but does not currently contain draft documentation text. To ensure the timely release of this advisory please provide draft documentation text for this bug as soon as possible.

If you do not think this bug requires errata documentation, set the requires_doc_text flag to "-".


To add draft documentation text:

* Select the documentation type from the "Doc Type" drop down field.

* A template will be provided in the "Doc Text" field based on the "Doc Type" value selected. Enter draft text in the "Doc Text" field.

Comment 14 Gurenko Alex 2018-08-19 11:07:58 UTC

Verified on puddle 2018-08-16.1

[stack@undercloud-0 ssh]$ rpm -q instack-undercloud
instack-undercloud-8.4.3-4.el7ost.noarch

Comment 16 errata-xmlrpc 2018-08-29 16:39:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2574

Note You need to log in before you can comment on or make changes to this bug.