Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3350

Leapp inhibits the upgrade when openssh-server is not installed but /etc/ssh/sshd_config is present

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • rhel-upgrades
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None
    • 57,005

      Leapp outputs this inhibitor when the /etc/ssh/sshd_config file is unmodified.

      Risk Factor: high (inhibitor)
      Title: Possible problems with remote login using root account
      Summary: OpenSSH configuration file will get updated to RHEL9 version, no longer allowing root login with password. It is a good practice to use non-root administrative user and non-password authentications, but if you rely on the remote root login, this change can lock you out of this system.
      Remediation: [hint] If you depend on remote root logins using passwords, consider setting up a different user for remote administration or adding a comment into the sshd_config next to the "PermitRootLogin yes" directive to prevent rpm replacing it during the upgrade.

      https://github.com/oamg/leapp-repository/blob/c3f32c8cd95011b9fb6b4c8a9ee27736ba551ae2/repos/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py#L114

      The resolution for this inhibitor is to modify the sshd_config which prevents the new openssh-server package from replacing the old "unmodified" configuration file.

        1. The issue

      If a customer does not have openssh-server installed, this inhibitor is impossible to resolve.

      The code first checks if the configuration is present. It then detects if the configuration is modified with rpm -V, but if the package is not present, this results in leapp considering the file unmodified.

      ~~~

      1. grep def\ _read_rpm_modifications -A11 repositories/system_upgrade/common/libraries/rpms.py
        def _read_rpm_modifications(config):
        """
        Ask RPM database whether the configuration file was modified.

      :param config: a config file to check
      """
      try:
      return stdlib.run(['rpm', '-Vf', config], split=True, checked=False)['stdout']
      except OSError as err:
      error = 'Failed to check the modification status of the file {}: {}'.format(config, str(err))
      stdlib.api.current_logger().error(error)
      return []
      ~~~

      With the package removed we see that leapp reads the file and knows PermitRootLogin is false (which is a modified state) but shows at modified.

      ~~~

      1. yum remove openssh-server
      2. touch /etc/ssh/sshd_config
      3. leapp upgrade
      4. sqlite3 /var/lib/leapp/leapp.db "select message_data from messages_data where actor='read_openssh_config'" | jq '.'
        {
        "ciphers": null,
        "deprecated_directives": [],
        "macs": null,
        "modified": false,
        "permit_root_login": [],
        "protocol": null,
        "subsystem_sftp": null,
        "use_privilege_separation": null
        }
        ~~~

      Leapp is inhibited unless the file is removed, or the openssh-server package is installed.

        1. Expectations
          Verify the openssh-server package is installed before performing any checks on openssh-server configuration files.

      *Kyle Walker*

      1. diff /usr/share/leapp-repository/repositories/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py.orig /usr/share/leapp-repository/repositories/system_upgrade/common/actors/opensshpermitrootlogincheck/actor.py
        5a6
        > from leapp.libraries.common.rpms import has_package
        7c8
        < from leapp.models import OpenSshConfig, Report

        > from leapp.models import OpenSshConfig, InstalledRedHatSignedRPM, Report
        35c36
        < consumes = (OpenSshConfig, )

        > consumes = (OpenSshConfig, InstalledRedHatSignedRPM, )
        40,55c41,59
        < openssh_messages = self.consume(OpenSshConfig)
        < config = next(openssh_messages, None)
        < if list(openssh_messages):
        < api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
        < if not config:
        < raise StopActorExecutionError(
        < 'Could not check openssh configuration', details= {'details': 'No OpenSshConfig facts found.'}

        < )
        <
        < if get_source_major_version() == '7':
        < self.process7to8(config)
        < elif get_source_major_version() == '8':
        < self.process8to9(config)
        < else:
        < api.current_logger().warning('Unknown source major version: {} (expecting 7 or 8)'
        < .format(get_source_major_version()))

        > has_server = has_package(InstalledRedHatSignedRPM, 'openssh-server')
        >
        > if has_server:
        > openssh_messages = self.consume(OpenSshConfig)
        > config = next(openssh_messages, None)
        > if list(openssh_messages):
        > api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
        > if not config:
        > raise StopActorExecutionError(
        > 'Could not check openssh configuration', details=

        {'details': 'No OpenSshConfig facts found.'}

        > )
        >
        > if get_source_major_version() == '7':
        > self.process7to8(config)
        > elif get_source_major_version() == '8':
        > self.process8to9(config)
        > else:
        > api.current_logger().warning('Unknown source major version: {} (expecting 7 or 8)'
        > .format(get_source_major_version()))

              leapp-notifications leapp-notifications
              rhn-support-jcastran John Castranio
              leapp-notifications leapp-notifications
              RHEL Upgrades QE Team RHEL Upgrades QE Team
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: