What were you trying to do that didn't work?

Our customer uses a 3rd party SSH daemon, provided by the Centrify vendor, and the upgrade is inhibited anyway, attempting to check "OpenSshConfig" facts that should not exist.

The openssh-server package being installed by default, even with a minimal installation, this use case remains extremely rare. That said, nothing prevent someone to remove the package and to work only from a console (or administrate the machine through a 3rd party ssh daemon or a web app).

What is the impact of this issue to you?

Cannot in-place upgrade without removing the openssh related actors.

Raising this bug as Low as it is rare.

Please provide the package NVR for which the bug is seen:

leapp-upgrade-el8toel9-0.22.0-1.el8_10

How reproducible is this bug?:

Always

Steps to reproduce

1. Remove openssh packages
2. Run leapp preupgrade

Expected results

No SSH inhibitors.

Actual results

Risk Factor: high (inhibitor)
Title: Possible problems with remote login using root account

Additional notes

AFAICS, the opensshpermitrootlogincheck actor is not in fault, it will stop if "OpenSshConfig facts" are not found:

 39     def process(self):
 40         openssh_messages = self.consume(OpenSshConfig)
 41         config = next(openssh_messages, None)
 42         if list(openssh_messages):
 43             api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
 44         if not config:
 45             raise StopActorExecutionError(
 46                 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
 47             )

But as per the leapp.db, the said "facts" are generated anyway:

Type: OpenSshConfig
Message_data:
{
    "ciphers": null,
    "deprecated_directives": [],
    "macs": null,
    "modified": false,
    "permit_root_login": [],
    "protocol": null,
    "subsystem_sftp": null,
    "use_privilege_separation": null
}

So the error comes from the opensshconfigscanner actor, and here is the culprit:

124 def read_sshd_config(config):
125     """Read the actual sshd configuration file."""
126     try:
127         with open(config, 'r') as fd:
128             return fd.readlines()
129     except IOError as err:
130         if err.errno != errno.ENOENT:
131             error = 'Failed to read sshd_config: {}'.format(str(err))
132             api.current_logger().error(error)
133         return []

When it attempts to read the sshd_config file, it gets an IOError exception, but the case where the errno is ENOENT ("No such file or directory") is ignored (returning an empty array) instead of raising an error in leapp. So the rest of the checks simply fail because the expected value is not present in the list (of lines) that is returned by this function. Hence it behaves as if the expected ssh option was not defined in the configuration.

Such a behaviour is valid only if our package is installed otherwise the OpenSshConfig fact should not be produced.