DescriptionCédric Jeanneret
2018-08-13 07:59:18 UTC
+++ This bug was initially created as a clone of Bug #1611043 +++
Description of problem:
Undercloud should have RHEL default sshd_config
Current RHEL default sshd_config configuration is below.
~~~
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
~~~
On the other hand, after undercloud installation, sshd_config is changed to
~~~
# cat /etc/ssh/sshd_config
# File is managed by Puppet
Port 22
AcceptEnv LANG LC_*
ChallengeResponseAuthentication no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
UsePAM yes
X11Forwarding yes
~~~
Especially SyslogFacility will change the target of log ouput from /var/log/secure to /var/log/messages.
This kind of change will make support and user confused.
Version-Release number of selected component (if applicable):
Current puppet-tripleo
How reproducible:
Every time after undercloud is deployed and restarted.
Steps to Reproduce:
0. Confirm current sshd_config.
1. Install and restart Undercloud.
2. Confirm the change of sshd_config and /var/log/mesasges has sshd logs.
3.
Actual results:
sshd logs is written to /var/log/messages.
Expected results:
sshd logs should be written to /var/log/secure as RHEL's default configuration does
--- Additional comment from Cédric Jeanneret on 2018-08-06 10:53:57 EDT ---
Hello,
Apparently something has already been done on that field, and has even been backported to previous versions:
https://review.openstack.org/#/q/I1d09530d69e42c0c36311789166554a889e46556https://review.openstack.org/#/q/Ie2e01d93082509b8ede37297067eab03bb1ab06e
Care to provide your package version, especially for that one:
openstack-tripleo-heat-templates
Thank you!
Cheers,
C.
--- Additional comment from Keigo Noha on 2018-08-08 22:36:49 EDT ---
Hello Cédric,
My testing environment uses openstack-tripleo-heat-templates-8.0.2-43.el7ost.noarch.
In overcloud, the sshd_config doens't have the same issue.
Undercloud has the issue in sshd_config.
Best Regards,
Keigo Noha
--- Additional comment from Cédric Jeanneret on 2018-08-09 01:59:33 EDT ---
Hello Keigo,
Thank you for the precisions. Apparently also hitting openstack-tripleo-heat-templates-8.0.4-16.el7ost.noarch - I'll probably need to cherry-pick the commits I mentioned in my previous comment.
I keep you updated.
Cheers,
C.
--- Additional comment from Cédric Jeanneret on 2018-08-09 04:19:30 EDT ---
Hello Keigo,
After some more struggles, the affected package was wrong - on rhosp-13, the undercloud does not use tripleo-heat-templates as I thought, but "instack-undercloud".
I've proposed an upstream patch:
https://review.openstack.org/#/c/590182/
Once it's merged, I'll cherry-pick it into the relevant branches, and push it downstream for rhosp-13.
It will hence take some time, as it must pass multiple validations.
Thank you for your patience.
Cheers,
C.