From 349b8c474412e1f8357740db32aae585ddab77ea Mon Sep 17 00:00:00 2001
From: Joshua Hoblitt <josh@hoblitt.com>
Date: Tue, 26 Apr 2022 13:19:55 -0700
Subject: [PATCH] (foreman role) disable ssh ProxyCommand for foreman-proxy
 user

When the ssh client is configured to for sssd/ipa host key
tracking using `/usr/bin/sss_ssh_knownhostsproxy` as a `ProxyCommand`,
this somehow breaks foreman-proxy REX.  Without a valid shell set in
`/etc/passwd` or via the `SHELL` env var, the ssh client errors claiming
there is a key exchange failure but never gets as far as opening a
network socket.  With a valid `SHELL`, ssh sessions are able to be
established but it appears that no stdout/stderr is piped back to the
foreman-proxy daemon.  The only identified work around is remove the
`ProxyCommand` completely for the `foreman-proxy` user.

There is some discussion of this problem on
https://github.com/theforeman/puppet-foreman_proxy/pull/742
---
 hieradata/common.yaml            | 11 +++++++++++
 hieradata/role/foreman.yaml      |  8 ++++++++
 spec/hosts/roles/dtn_spec.rb     |  4 ++--
 spec/hosts/roles/foreman_spec.rb | 17 +++++++++++++++++
 4 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 0c9ae31af8..370627574a 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -36,6 +36,17 @@ lookup_options:
   sssd::domains:
     merge:
       strategy: "deep"
+  ssh::client_options:
+    merge:
+      strategy: "deep"
+      knockout_prefix: "--"
+  ssh::client_match_block:
+    merge:
+      strategy: "deep"
+  ssh::server_options:
+    merge:
+      strategy: "deep"
+      knockout_prefix: "--"
   ssh::server::match_block:
     merge:
       strategy: "deep"
diff --git a/hieradata/role/foreman.yaml b/hieradata/role/foreman.yaml
index 383aa035fd..f18f97b531 100644
--- a/hieradata/role/foreman.yaml
+++ b/hieradata/role/foreman.yaml
@@ -200,6 +200,14 @@ profile::core::yum::versionlock:
 
 redis::globals::scl: "rh-redis5"
 
+ssh::client_options:
+  "ProxyCommand": "--"
+ssh::client_match_block:
+  "foreman,foreman-proxy":
+    type: "!localuser"
+    options:
+      ProxyCommand: "/usr/bin/sss_ssh_knownhostsproxy -p %p %h"
+
 profile::core::puppet_master::foreman_config:
   destroy_vm_on_host_delete: {value: false}
   entries_per_page: {value: 100}
diff --git a/spec/hosts/roles/dtn_spec.rb b/spec/hosts/roles/dtn_spec.rb
index 230cf417d7..e530e9df1a 100644
--- a/spec/hosts/roles/dtn_spec.rb
+++ b/spec/hosts/roles/dtn_spec.rb
@@ -18,8 +18,8 @@
         it { is_expected.to contain_class('profile::core::dtn') }
 
         it do
-          is_expected.to contain_class('ssh').with(
-            server_options: { 'Port' => [22, 2712] },
+          expect(catalogue.resource('class', 'ssh')[:server_options]).to include(
+            'Port' => [22, 2712],
           )
         end
       end
diff --git a/spec/hosts/roles/foreman_spec.rb b/spec/hosts/roles/foreman_spec.rb
index bd772d2382..c65d2c4ad0 100644
--- a/spec/hosts/roles/foreman_spec.rb
+++ b/spec/hosts/roles/foreman_spec.rb
@@ -68,6 +68,23 @@
             server_version: PUPPETSERVER_VERSION,
           )
         end
+
+        it 'has global ProxyCommand knocked out with --' do
+          expect(catalogue.resource('class', 'ssh')[:client_options]).to include(
+            'ProxyCommand' => '',
+          )
+        end
+
+        it 'has foreman & foreman-proxy user exempt from ProxyCommand' do
+          expect(catalogue.resource('class', 'ssh')[:client_match_block]).to include(
+            'foreman,foreman-proxy' => {
+              'type' => '!localuser',
+              'options' => {
+                'ProxyCommand' => '/usr/bin/sss_ssh_knownhostsproxy -p %p %h',
+              },
+            },
+          )
+        end
       end
     end # site
   end # role