(foreman role) disable ssh ProxyCommand for foreman-proxy user

When the ssh client is configured to for sssd/ipa host key tracking using `/usr/bin/sss_ssh_knownhostsproxy` as a `ProxyCommand`, this somehow breaks foreman-proxy REX. Without a valid shell set in `/etc/passwd` or via the `SHELL` env var, the ssh client errors claiming there is a key exchange failure but never gets as far as opening a network socket. With a valid `SHELL`, ssh sessions are able to be established but it appears that no stdout/stderr is piped back to the foreman-proxy daemon. The only identified work around is remove the `ProxyCommand` completely for the `foreman-proxy` user. There is some discussion of this problem on theforeman/puppet-foreman_proxy#742
lsst-it · Jul 19, 2022 · 349b8c4 · 349b8c4
1 parent c9721f1
commit 349b8c4
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 2 deletions.
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
@@ -36,6 +36,17 @@ lookup_options:
   sssd::domains:
     merge:
       strategy: "deep"
+  ssh::client_options:
+    merge:
+      strategy: "deep"
+      knockout_prefix: "--"
+  ssh::client_match_block:
+    merge:
+      strategy: "deep"
+  ssh::server_options:
+    merge:
+      strategy: "deep"
+      knockout_prefix: "--"
   ssh::server::match_block:
     merge:
       strategy: "deep"

diff --git a/hieradata/role/foreman.yaml b/hieradata/role/foreman.yaml
@@ -200,6 +200,14 @@ profile::core::yum::versionlock:
 
 redis::globals::scl: "rh-redis5"
 
+ssh::client_options:
+  "ProxyCommand": "--"
+ssh::client_match_block:
+  "foreman,foreman-proxy":
+    type: "!localuser"
+    options:
+      ProxyCommand: "/usr/bin/sss_ssh_knownhostsproxy -p %p %h"
+
 profile::core::puppet_master::foreman_config:
   destroy_vm_on_host_delete: {value: false}
   entries_per_page: {value: 100}

diff --git a/spec/hosts/roles/dtn_spec.rb b/spec/hosts/roles/dtn_spec.rb
@@ -18,8 +18,8 @@
         it { is_expected.to contain_class('profile::core::dtn') }
 
         it do
-          is_expected.to contain_class('ssh').with(
-            server_options: { 'Port' => [22, 2712] },
+          expect(catalogue.resource('class', 'ssh')[:server_options]).to include(
+            'Port' => [22, 2712],
           )
         end
       end

diff --git a/spec/hosts/roles/foreman_spec.rb b/spec/hosts/roles/foreman_spec.rb
@@ -68,6 +68,23 @@
             server_version: PUPPETSERVER_VERSION,
           )
         end
+
+        it 'has global ProxyCommand knocked out with --' do
+          expect(catalogue.resource('class', 'ssh')[:client_options]).to include(
+            'ProxyCommand' => '',
+          )
+        end
+
+        it 'has foreman & foreman-proxy user exempt from ProxyCommand' do
+          expect(catalogue.resource('class', 'ssh')[:client_match_block]).to include(
+            'foreman,foreman-proxy' => {
+              'type' => '!localuser',
+              'options' => {
+                'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h',
+              },
+            },
+          )
+        end
       end
     end # site
   end # role