Red Hat Bugzilla – Bug 1611043
Undercloud should have RHEL default sshd_config
Last modified: 2018-08-29 12:40:06 EDT
Description of problem: Undercloud should have RHEL default sshd_config Current RHEL default sshd_config configuration is below. ~~~ HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key SyslogFacility AUTHPRIV AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication yes ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials no UsePAM yes X11Forwarding yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS Subsystem sftp /usr/libexec/openssh/sftp-server ~~~ On the other hand, after undercloud installation, sshd_config is changed to ~~~ # cat /etc/ssh/sshd_config # File is managed by Puppet Port 22 AcceptEnv LANG LC_* ChallengeResponseAuthentication no HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key PrintMotd no Subsystem sftp /usr/libexec/openssh/sftp-server UsePAM yes X11Forwarding yes ~~~ Especially SyslogFacility will change the target of log ouput from /var/log/secure to /var/log/messages. This kind of change will make support and user confused. Version-Release number of selected component (if applicable): Current puppet-tripleo How reproducible: Every time after undercloud is deployed and restarted. Steps to Reproduce: 0. Confirm current sshd_config. 1. Install and restart Undercloud. 2. Confirm the change of sshd_config and /var/log/mesasges has sshd logs. 3. Actual results: sshd logs is written to /var/log/messages. Expected results: sshd logs should be written to /var/log/secure as RHEL's default configuration does
Hello, Apparently something has already been done on that field, and has even been backported to previous versions: https://review.openstack.org/#/q/I1d09530d69e42c0c36311789166554a889e46556 https://review.openstack.org/#/q/Ie2e01d93082509b8ede37297067eab03bb1ab06e Care to provide your package version, especially for that one: openstack-tripleo-heat-templates Thank you! Cheers, C.
Hello Cédric, My testing environment uses openstack-tripleo-heat-templates-8.0.2-43.el7ost.noarch. In overcloud, the sshd_config doens't have the same issue. Undercloud has the issue in sshd_config. Best Regards, Keigo Noha
Hello Keigo, Thank you for the precisions. Apparently also hitting openstack-tripleo-heat-templates-8.0.4-16.el7ost.noarch - I'll probably need to cherry-pick the commits I mentioned in my previous comment. I keep you updated. Cheers, C.
Hello Keigo, After some more struggles, the affected package was wrong - on rhosp-13, the undercloud does not use tripleo-heat-templates as I thought, but "instack-undercloud". I've proposed an upstream patch: https://review.openstack.org/#/c/590182/ Once it's merged, I'll cherry-pick it into the relevant branches, and push it downstream for rhosp-13. It will hence take some time, as it must pass multiple validations. Thank you for your patience. Cheers, C.
Hello, A package has been issued in rhosp-13 for testing. Lemme know if this one solves your current issue. Cheers, C.
This bug is marked for inclusion in the errata but does not currently contain draft documentation text. To ensure the timely release of this advisory please provide draft documentation text for this bug as soon as possible. If you do not think this bug requires errata documentation, set the requires_doc_text flag to "-". To add draft documentation text: * Select the documentation type from the "Doc Type" drop down field. * A template will be provided in the "Doc Text" field based on the "Doc Type" value selected. Enter draft text in the "Doc Text" field.
Verified on puddle 2018-08-16.1 [stack@undercloud-0 ssh]$ rpm -q instack-undercloud instack-undercloud-8.4.3-4.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2574