Bug 2017663 - SSH password authentication is disabled when public key is not supplied
Summary: SSH password authentication is disabled when public key is not supplied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Console Kubevirt Plugin
Version: 4.10
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.10.0
Assignee: Matan Schatzman
QA Contact: Guohua Ouyang
URL:
Whiteboard:
: 2039664 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-27 07:11 UTC by Orel Misan
Modified: 2022-03-10 16:22 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 16:22:12 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Screenshot of ssh part from "Create Virtual Machine from template" screen (12.65 KB, image/png)
2021-11-11 09:12 UTC, Orel Misan
no flags Details
YAML file of VM with exposed ssh access (6.23 KB, application/octet-stream)
2021-11-11 09:15 UTC, Orel Misan
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 10478 0 None open Bug 2017663: Missing SSH text change 2021-11-16 13:22:59 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-10 16:22:25 UTC

Description Orel Misan 2021-10-27 07:11:50 UTC
Description of problem:
When creating a new VM out of RHEL 8 template with ssh service enabled, but without providing a public key - password authentication is disabled and a user cannot connect to the VM via ssh (unless a workaround is performed via console).

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a new VM from RHEL 8 template using the wizard
2. Checkbox "Expose SSH access to this machine" should be checked (don't provide a public key).
3. A note is displayed "Missing authorized key - An authorized key is not detected. SSH access is enabled with the password."
4. Connect via ssh to the VM - ssh password authentication is disabled.

Actual results:
Inside the VM:
/etc/ssh/sshd_config
PasswordAuthentication no

Expected results:
Inside the VM:
/etc/ssh/sshd_config
PasswordAuthentication yes

Additional info:

Comment 1 Guohua Ouyang 2021-11-10 10:20:00 UTC
I think "Expose SSH access to this machine" is just exposing the k8s ssh service for the VM, not to change the sshd configuration inside the VM.
The issue seems to be a configuration issue of the VM image which is beyond the UI scope.

@Kobi, what do you think?

Comment 2 Yaacov Zamir 2021-11-10 17:45:41 UTC
Orel hi, thank you for the issue:
Can you attache the yaml files of:
- the template you use
- the VM that got created when ssh is not exposed
- the VM that got created when ssh is exposed

As Guohua mentioned, the UI only "expose" e.g. create a service to an ssh server that should already be running on the guest.
But since the UI also override the user/password settings in the guest, we need to look at the created YAMLs to see if this fields are changed in a wrong way.

Comment 3 Orel Misan 2021-11-11 09:12:00 UTC
Created attachment 1841164 [details]
Screenshot of ssh part from "Create Virtual Machine from template" screen

The message displayed to the user says "An authorized key is not detected. SSH access is enabled with the password."

But password authentication is disabled on sshd config

Comment 4 Orel Misan 2021-11-11 09:15:08 UTC
Created attachment 1841165 [details]
YAML file of VM with exposed ssh access

Hi Yaacov, thanks for your response.
The template being used is "Red Hat Enterprise Linux 8.0 or higher".
The yaml file of the VM with exposed ssh access is attached.

Comment 5 Yaacov Zamir 2021-11-11 10:03:39 UTC
Orel hi,

Can you try creating the VM using "oc" CLI tool, it looks like a back-end issue ?

Note I:

I want to make sure it's a back-end issue before moving it to SSP component.

Note II:

The YAML created looks ok,
It has a user name and password created:

- disk:
    bus: virtio
  name: cloudinitdisk
...
- cloudInitNoCloud:
    userData: |-
      #cloud-config
      user: cloud-user
      password: rrfv-3j64-eah5
      chpasswd: { expire: False }
  name: cloudinitdisk

It doesn't look like a UI creating wrong VM.

Comment 6 Yaacov Zamir 2021-11-15 09:17:16 UTC
Moving to SSP, looks like it's by design (security reasons) and not UI specific

---
Notes:

a - I created a VM using CLI and using UI and both had:
    PasswordAuthentication no

b - in both cases I was able to connect via ssh using username+password without needing to edit the config (!?)

ssh cloud-user.test.metalkube.org -p 31021
The authenticity of host '[api.ostest.test.metalkube.org]:31021 ([10.46.26.12]:31021)' can't be established.
ED25519 key fingerprint is SHA256:FKDZxYoAi3S4hQ4n/uWWznJQ+bgRp9qT1nouSikjIik.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[api.ostest.test.metalkube.org]:31021' (ED25519) to the list of known hosts.
cloud-user.test.metalkube.org's password: 
Last login: Mon Nov 15 09:01:51 2021
[cloud-user@rhel8-circular-silkworm ~]$ sudo cat /etc/ssh/sshd_config | grep PasswordAuthenticatio
#PasswordAuthentication yes
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication, then enable this but set PasswordAuthentication
PasswordAuthentication no

Comment 7 Dominik Holler 2021-11-15 17:10:47 UTC
Yaacov, can you please share more details how you created the VM, especially which disk image you used?

(In reply to Yaacov Zamir from comment #6)

> 
> b - in both cases I was able to connect via ssh using username+password
> without needing to edit the config (!?)
>

Comment 8 Yaacov Zamir 2021-11-16 12:15:25 UTC
> Yaacov, can you please share more details how you created the VM, especially which disk image you used?

I used:
quay.io/kubevirt/fedora-cloud-container-disk-demo
with the VM yaml Orel provided in the bug report.

Orel can you add more details about the VM that you created ?

Comment 9 Dominik Holler 2021-11-16 12:22:02 UTC
Thanks Yaacov. Fedora differs from RHEL in this regard.
The "PasswordAuthentication no" is the default behavior of RHEL.
I just wonder if we should modify the RHEL inside the VM, which might be unexpected, or change the user's expectation, e.g. by changing the note in the UI to something like "Missing authorized key - An authorized key is not detected. A password is configured for the user. Please ensure that is configured to accept password authentification."

Comment 10 Yaacov Zamir 2021-11-16 12:35:33 UTC
Thanks, moving back to UI.

So a fix can be to update the error msg:

From:
"Missing authorized key - An authorized key is not detected. SSH access is enabled with the password."
To:
"Missing authorized key - An authorized key is not detected. Please ensure that the virtual machine is configured to accept password authentication."

Comment 13 Guohua Ouyang 2021-11-25 04:40:58 UTC
verified on master

Comment 14 Yaacov Zamir 2022-01-23 13:49:27 UTC
*** Bug 2039664 has been marked as a duplicate of this bug. ***

Comment 17 errata-xmlrpc 2022-03-10 16:22:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.