tripleo

Container Undercloud - Password authentication via SSH disabled

Bug #1772519 reported by Harald Jensås on 2018-05-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	High	Emilien Macchi	tripleo rocky-2

Bug Description

Container Undercloud installer sets 'PasswordAuthentication no' in /etc/ssh/sshd_config.

This makes the undercloud inaccessible via SSH unless the operator had already copied ssh key to the server.

-------------------------------------------
$ sudo cat /etc/ssh/sshd_config
# File is managed by Puppet
Port 22

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PasswordAuthentication no <--- PasswordAuthentication disabled.
PrintMotd no
Subsystem sftp /usr/libexec/openssh/sftp-server
SyslogFacility AUTHPRIV
UseDNS no
UsePAM yes
UsePrivilegeSeparation sandbox
X11Forwarding yes

Emilien Macchi (emilienm) on 2018-06-01

Changed in tripleo:
assignee:	nobody → Emilien Macchi (emilienm)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-01: Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.openstack.org/571829

Changed in tripleo:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-02: Related fix proposed to puppet-tripleo (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/571918

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-05: Related fix merged to puppet-tripleo (master)

Reviewed: https://review.openstack.org/571918
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=17c1c2ee6d373af9332644cbedd71c3ab1853a68
Submitter: Zuul
Branch: master

commit 17c1c2ee6d373af9332644cbedd71c3ab1853a68
Author: Emilien Macchi <email address hidden>
Date: Fri Jun 1 20:36:55 2018 -0700

ssh: allow to configure PasswordAuthentication

Allow to override the default PasswordAuthentication parameter (default
is 'no').

Change-Id: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9
Related-Bug: #1772519

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-05: Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.openstack.org/571829
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=70901ab69a013bf99f97be0268a8ee2ac1fd4250
Submitter: Zuul
Branch: master

commit 70901ab69a013bf99f97be0268a8ee2ac1fd4250
Author: Emilien Macchi <email address hidden>
Date: Fri Jun 1 14:22:55 2018 -0700

ssh: enable PasswordAuthentication for containerized undercloud

    We don't expect our operators to have SSH keys setup on the undercloud
    node, so we don't want to block the PasswordAuthentication in
    sshd_config.

    Depends-On: I88b24c82fb3cf2309f45d5d447a9b0c403da7fc9
    Change-Id: I10b112e8bffff30879606ddd970dfd3ec67fd9c7
    Closes-Bug: #1772519

Changed in tripleo:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-05: Fix included in openstack/tripleo-heat-templates 9.0.0.0b3

This issue was fixed in the openstack/tripleo-heat-templates 9.0.0.0b3 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.