Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-5513

[OpenSSH] Allow duplicate Subsystem directives

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • openshift-4.16
    • RHEL CoreOS
    • None
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request

      [OpenSSH] Allow duplicate Subsystem directives on RHOSP4.16

      2. What is the nature and description of the request?

      Request to backport(cherry pick) the following fix[1] into sshd for use with RHOCP4.16.
      [1] https://github.com/openssh/openssh-portable/commit/52dfe3c72d98503d8b7c6f64fc7e19d685636c0b

      [Background]
      As of now, /etc/ssh/sshd_config has the following lines:

        # grep -nE "Include|Subsystem" /etc/ssh/sshd_config 
  15:Include /etc/ssh/sshd_config.d/*.conf
  123:Subsystem	sftp	/usr/libexec/openssh/sftp-server

      There are two possible ways for a customer to change the sftp log level:

      1. Edit "/etc/ssh/sshd_config" file directly.
      However, in this case, a problem like https://access.redhat.com/solutions/7030537 happens when upgrading OCP cluster.
      Therefore, direct editing of sshd_config should be avoided if possible.

      2. Change sftp settings using the “Include” feature.
      For example, create a file named /etc/ssh/sshd.config.d/90-sftp.conf with the following contents

         Subsystem       sftp    /usr/libexec/openssh/sftp-server -f LOCAL5 -l INFO

      Normal configuration changes work fine this way, but Subsystem configuration changes result
      in the following error and sshd terminates abnormally.

           /etc/ssh/sshd_config line 123: Subsystem 'sftp' already defined.

      Therefore, we request to backport(cherry pick) the following fix[1] into sshd for use with RHOCP4.16.
      After that, even if duplicate subsystems are configured, sshd will ignore them without exiting with an error.
      (The ignored settings are displayed as debug messages.)

      3. Why does the customer need this? (List the business requirements here)

      Our customer needs to change the loglevel of sftp of their cluster.
      Currently, the only way to do this is to edit sshd_config directly, however, it can cause problems such as https://access.redhat.com/solutions/7030537.
      To reduce the possibility of problems caused by configuration changes, we would like to backport the fixe[1] (introduced in OpenSSH 9.5)
      into the RHOCP 4.16 environment.

      4. List any affected packages or components.

      openssh-server

              rhn-support-mrussell Mark Russell
              rhn-support-hfukumot Hideshi Fukumoto
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: