Bug 2091630 - controller sshd_conf causes scp to fail
Summary: controller sshd_conf causes scp to fail
Keywords:
Status: CLOSED DUPLICATE of bug 2085102
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: tripleo-ansible
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: OSP Team
QA Contact: Joe H. Rahme
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-30 14:27 UTC by Ella Shulman
Modified: 2022-05-31 10:05 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-31 10:05:42 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
scp -vvvv output (11.62 KB, text/plain)
2022-05-30 14:27 UTC, Ella Shulman 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-15438 0 None None None 2022-05-30 14:38:14 UTC

Description Ella Shulman 2022-05-30 14:27:57 UTC 
Created attachment 1885161 [details]
scp -vvvv output

Description of problem:
it seems like ansible configures sshd_conf in a way that doesn't allow using scp command (copy from the controller to the undercloud for example). When adding additional parameters and restarting sshd I was able to use scp.

Version-Release number of selected component (if applicable):
osp17

How reproducible:
not sure if anyone else experienced it

Steps to Reproduce:
1. use scp to copy a file from one of the overcloud nodes
2.
3.

Actual results:
error

Expected results:
files copied from overcloud host to undercloud

Additional info:
when using ansible fetch I was able to copy the files as well
overcloud nodes sshd_config:
## Ansible managed

UseDns no

sshd_config that worked for me (taken from the undercloud):
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Subsystem sftp  /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UseDNS no
UsePAM yes
X11Forwarding yes
Comment 1 Brendan Shephard 2022-05-31 01:37:52 UTC 
Hi Ella,

Are you overriding the SshServerOptions or something in your Heat templates?

I can't reproduce this with a default deployment, scp is working for me.
Comment 2 Ella Shulman 2022-05-31 06:27:06 UTC 
Hi Brenden,

Yes, we override it as we did in older deployments but we never had only this parameter appearing in the sshd_config (we are doing the same for osp 16.2, 16.1, 13 etc). I assume something changed in the way vars are being overridden. is there a way to resume the old behavior? should this change be documented? 
IMHO it would be better to merge the vars provided by default and by the user to construct a working sshd_conf instead of having the user write all the parameters he would like to have in the file just to override one parameter.
Comment 6 Brendan Shephard 2022-05-31 10:03:45 UTC 
Yeah, we need to use SshServerOptionsOverrides in OSP17:
https://github.com/openstack/tripleo-heat-templates/commit/bfd97da0bfa386642d47e8d317aad70c99594cd5

This has come up a few times in seperate BZ's. The issue is that once you override SshServerOptions, we have no way of comparing to the defaults. If we compare against the sshd_config file on the remote system, then we would never be able to remove things that have been added in previous runs. That wouldn't be ideal, so we have the Overrides option that will allow you to add and remove params from the file as required.
Comment 7 Brendan Shephard 2022-05-31 10:05:42 UTC 

*** This bug has been marked as a duplicate of bug 2085102 ***
Note You need to log in before you can comment on or make changes to this bug.