Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1611043

Summary: Undercloud should have RHEL default sshd_config
Product: Red Hat OpenStack Reporter: Keigo Noha <knoha>
Component: instack-undercloudAssignee: Cédric Jeanneret <cjeanner>
Status: CLOSED ERRATA QA Contact: Gurenko Alex <agurenko>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: agurenko, cjeanner, emacchi, jjoyce, jschluet, mburns, slinaber, tvignaud
Target Milestone: z2Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: instack-undercloud-8.4.3-4.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1615260 (view as bug list) Environment:
Last Closed: 2018-08-29 16:39:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1615260    

Description Keigo Noha 2018-08-02 01:54:19 UTC 
Description of problem:
Undercloud should have RHEL default sshd_config

Current RHEL default sshd_config configuration is below.
~~~
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem	sftp	/usr/libexec/openssh/sftp-server
~~~

On the other hand, after undercloud installation, sshd_config is changed to 
~~~
# cat /etc/ssh/sshd_config 
# File is managed by Puppet
Port 22

AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes
~~~

Especially SyslogFacility will change the target of log ouput from /var/log/secure to /var/log/messages.
This kind of change will make support and user confused.

Version-Release number of selected component (if applicable):
Current puppet-tripleo

How reproducible:
Every time after undercloud is deployed and restarted.

Steps to Reproduce:
0. Confirm current sshd_config.
1. Install and restart Undercloud.
2. Confirm the change of sshd_config and /var/log/mesasges has sshd logs.
3.

Actual results:
sshd logs is written to /var/log/messages.

Expected results:
sshd logs should be written to /var/log/secure as RHEL's default configuration does
Comment 1 Cédric Jeanneret 2018-08-06 14:53:57 UTC 
Hello,

Apparently something has already been done on that field, and has even been backported to previous versions:

https://review.openstack.org/#/q/I1d09530d69e42c0c36311789166554a889e46556
https://review.openstack.org/#/q/Ie2e01d93082509b8ede37297067eab03bb1ab06e

Care to provide your package version, especially for that one:
openstack-tripleo-heat-templates

Thank you!

Cheers,

C.
Comment 2 Keigo Noha 2018-08-09 02:36:49 UTC 
Hello Cédric,

My testing environment uses openstack-tripleo-heat-templates-8.0.2-43.el7ost.noarch.

In overcloud, the sshd_config doens't have the same issue.
Undercloud has the issue in sshd_config.

Best Regards,
Keigo Noha
Comment 3 Cédric Jeanneret 2018-08-09 05:59:33 UTC 
Hello Keigo,

Thank you for the precisions. Apparently also hitting openstack-tripleo-heat-templates-8.0.4-16.el7ost.noarch - I'll probably need to cherry-pick the commits I mentioned in my previous comment.

I keep you updated.

Cheers,

C.
Comment 4 Cédric Jeanneret 2018-08-09 08:19:30 UTC 
Hello Keigo,

After some more struggles, the affected package was wrong - on rhosp-13, the undercloud does not use tripleo-heat-templates as I thought, but "instack-undercloud".

I've proposed an upstream patch:
https://review.openstack.org/#/c/590182/

Once it's merged, I'll cherry-pick it into the relevant branches, and push it downstream for rhosp-13.

It will hence take some time, as it must pass multiple validations.

Thank you for your patience.

Cheers,

C.
Comment 5 Cédric Jeanneret 2018-08-13 13:25:25 UTC 
Hello,

A package has been issued in rhosp-13 for testing.

Lemme know if this one solves your current issue.

Cheers,

C.
Comment 12 Joanne O'Flynn 2018-08-15 07:39:37 UTC 
This bug is marked for inclusion in the errata but does not currently contain draft documentation text. To ensure the timely release of this advisory please provide draft documentation text for this bug as soon as possible.

If you do not think this bug requires errata documentation, set the requires_doc_text flag to "-".


To add draft documentation text:

* Select the documentation type from the "Doc Type" drop down field.

* A template will be provided in the "Doc Text" field based on the "Doc Type" value selected. Enter draft text in the "Doc Text" field.
Comment 14 Gurenko Alex 2018-08-19 11:07:58 UTC 
Verified on puddle 2018-08-16.1

[stack@undercloud-0 ssh]$ rpm -q instack-undercloud
instack-undercloud-8.4.3-4.el7ost.noarch
Comment 16 errata-xmlrpc 2018-08-29 16:39:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2574