Bug 1731755 - Root login does not work - PasswordAuthentication is not set to true
Summary: Root login does not work - PasswordAuthentication is not set to true
Keywords:
Status: NEW
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On: 1741670 1741671 1741672
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-21 19:56 UTC by Cristian Muresanu
Modified: 2020-02-18 04:55 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1741670 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Cristian Muresanu 2019-07-21 19:56:09 UTC
Description of problem:

There is a specific ask for root access in DCN node for debugging purpose. This shall be disabled in production environment.

I have followed the RHOSP13 Advanced Overcloud Customization document, Sector 20.5 (Using Secure root access) and updated the following in network-environment.yaml file:

#This file is an example of an environment file for defining the isolated
#networks and related parameters.
resource_registry:
  # Network Interface templates to use (these files must exist). You can
  # override these by including one of the net-*.yaml environment files,
  # such as net-bond-with-vlans.yaml, or modifying the list here.
  # Port assignments for the Controller
  OS::TripleO::Controller::Net::SoftwareConfig:
    ../network/config/single-nic-vlans/controller.yaml
  # Port assignments for the KontronDCN
  OS::TripleO::KontronDCN::Net::SoftwareConfig:
    ../network/config/single-nic-vlans/kontrondcn.yaml
  OS::TripleO::NodeUserData:
    ../firstboot/userdata_root_password.yaml

parameter_defaults:
  NodeRootPassword: "ABCDEFG1234"
  # This section is where deployment-specific configuration is done
  # CIDR subnet mask length for provisioning network
  ControlPlaneSubnetCidr: '24'


With this, I could see that password is updated as per my configuration but the root ssh access does not work after the DCN node is fully deployed.

I have also noticed that as soon as DCN is accessible but not fully deployed, I could do ssh with root user.

I see that in the DCN, the sshd_config file the following:
PasswordAuthentication no

which is not correct.

As per my configuration it is:

(undercloud) [stack@rhosbng5-mgmt openstack-tripleo-heat-templates]$ cat firstboot/userdata_root_password.yaml 
heat_template_version: queens

description: >
  Uses cloud-init to enable root logins and set the root password.
  Note this is less secure than the default configuration and may not be
  appropriate for production environments, it's intended for illustration
  and development/debugging only.

parameters:
  NodeRootPassword:
    description: Root password for the nodes
    hidden: true
    type: string

resources:
  userdata:
    type: OS::Heat::MultipartMime
    properties:
      parts:
      - config: {get_resource: root_config}

  root_config:
    type: OS::Heat::CloudConfig
    properties:
      cloud_config:
        ssh_pwauth: true
        disable_root: false
        chpasswd:
          list:
            str_replace:
              template: "root:PASSWORD"
              params:
                PASSWORD: {get_param: NodeRootPassword}
          expire: False

outputs:
  OS::stack_id:
    value: {get_resource: userdata}

Version-Release number of selected component (if applicable):
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#enabling_root_user_access

How reproducible:
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/13/html-single/advanced_overcloud_customization/index#enabling_root_user_access

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Why PasswordAuthentication is not set to true although I have updated the same in userdata_root_password.yaml


Additional info:

Comment 1 Cristian Muresanu 2019-07-21 19:58:31 UTC
heat-cfntools-1.3.0-2.el7ost.noarch                         Thu Jul  4 10:23:16 2019
openstack-heat-api-10.0.3-3.el7ost.noarch                   Thu Jul  4 10:41:14 2019
openstack-heat-api-cfn-10.0.3-3.el7ost.noarch               Thu Jul  4 10:41:22 2019
openstack-heat-common-10.0.3-3.el7ost.noarch                Thu Jul  4 10:41:03 2019
openstack-heat-engine-10.0.3-3.el7ost.noarch                Thu Jul  4 10:41:34 2019
openstack-tripleo-heat-templates-8.3.1-18.el7ost.noarch     Thu Jul  4 10:23:28 2019
puppet-heat-12.4.1-0.20190214021237.a7ed720.el7ost.noarch   Thu Jul  4 10:23:14 2019
python2-heatclient-1.14.1-1.el7ost.noarch                   Thu Jul  4 10:23:20 2019
python-heat-agent-1.5.4-1.el7ost.noarch                     Thu Jul  4 10:23:21 2019

Comment 2 Ollie Walsh 2019-08-07 12:23:33 UTC
Would need to change SshServerOptions to enable password auth (https://github.com/openstack/tripleo-heat-templates/blob/stable/queens/puppet/services/sshd.yaml#L41)

e.g:

    parameter_defaults:
      SshServerOptions:
        HostKey:
          - '/etc/ssh/ssh_host_rsa_key'
          - '/etc/ssh/ssh_host_ecdsa_key'
          - '/etc/ssh/ssh_host_ed25519_key'
        SyslogFacility: 'AUTHPRIV'
        AuthorizedKeysFile: '.ssh/authorized_keys'
        PasswordAuthentication: 'yes'
        ChallengeResponseAuthentication: 'no'
        GSSAPIAuthentication: 'yes'
        GSSAPICleanupCredentials: 'no'
        UsePAM: 'yes'
        UseDNS: 'no'
        X11Forwarding: 'yes'
        UsePrivilegeSeparation: 'sandbox'
        AcceptEnv:
          - 'LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES'
          - 'LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT'
          - 'LC_IDENTIFICATION LC_ALL LANGUAGE'
          - 'XMODIFIERS'
        Subsystem: 'sftp  /usr/libexec/openssh/sftp-server'

Comment 3 Ollie Walsh 2019-08-07 12:38:18 UTC
If the client side is stack@undercloud you also will need to disable pub key auth when connecting:

    (undercloud) [stack@undercloud-0 ~]$ ssh root@192.168.24.8
    Warning: Permanently added '192.168.24.8' (ECDSA) to the list of known hosts.
    Please login as the user "heat-admin" rather than the user "root".
    
    Connection to 192.168.24.8 closed.
    (undercloud) [stack@undercloud-0 ~]$ ssh -o PubkeyAuthentication=no root@192.168.24.8
    Warning: Permanently added '192.168.24.8' (ECDSA) to the list of known hosts.
    root@192.168.24.8's password: 
    Last login: Wed Aug  7 12:35:11 2019 from 192.168.24.1
    [root@overcloud-computelocal-0 ~]#


Note You need to log in before you can comment on or make changes to this bug.