Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: 6.16.0
Component/s: Documentation, Remote Execution
Labels:
- triaged
- workaround

Target Version:

6.17.z, 6.18.z, 6.19.0
Blocked:
False
Severity:
Important
AssignedTeam:
sat-endeavour

Release Note Type:
None
Release Note Text:
None
Release Note Status:
None

PX Impact Score:
PX Review Complete:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:
None
Regression:
Yes

Market:

Description of problem:

Satellite is unable to run remote execution tasks against clients when the Satellite has the following *ssh_config* file present */etc/ssh/ssh_config.d/04-ipa.conf*:

# IPA-related configuration changes to ssh_config
#
PubkeyAuthentication yes
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
#VerifyHostKeyDNS yes

# assumes that if a user does not have shell (/sbin/nologin),
# this will return nonzero exit code and proxy command will be ignored
Match exec true   
	ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

The line that is specifically causing issues is the *ProxyCommand*:

 ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

This causes Satellite to try and connect to the system as the *foreman-proxy* user, and not the configured *remote execution* user (e.g. *rexuser*).

From the client, we see the attempt to switch to the *foreman-proxy* user in the */var/log/secure* logs:

Aug  8 09:55:17 lb2 sshd[1535]: Accepted password for root from 192.168.0.139 port 39720 ssh2
Aug  8 09:55:17 lb2 sshd[1535]: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
Aug  8 09:55:17 lb2 sshd[1535]: pam_unix(sshd:session): session closed for user root
Aug  8 09:55:17 lb2 sshd[1563]: Invalid user foreman-proxy from 192.168.0.139 port 39736
Aug  8 09:55:17 lb2 sshd[1563]: Failed none for invalid user foreman-proxy from 192.168.0.139 port 39736 ssh2
Aug  8 09:55:17 lb2 sshd[1563]: Failed password for invalid user foreman-proxy from 192.168.0.139 port 39736 ssh2
Aug  8 09:55:17 lb2 sshd[1563]: Failed password for invalid user foreman-proxy from 192.168.0.139 port 39736 ssh2
Aug  8 09:55:17 lb2 sshd[1563]: Connection closed by invalid user foreman-proxy 192.168.0.139 port 39736 [preauth]

*Dynflow console* shows this error:

    output: 'Error initializing command: RuntimeError - Unable to create directory
      /var/tmp/foreman-ssh-cmd-2bb9be7b-1d47-4404-8c9b-15989c7caa08 on remote system,
      exit code: 255'

How reproducible:
always

Is this issue a regression from an earlier version:
Regression, issue was not present on Satellite 6.15, but we see this on 6.16

Steps to Reproduce:

1. Place the *04-ipa.conf* file mentioned in the description into the */etc/ssh/ssh_config.d/* directory on the Satellite (I believe this file is created automatically when the Satellite joins an IPA realm).

2. Have the Satellite try a regular ssh remote execution task against a client

Actual behavior:
The execution task fails, because satellite tries to switch to the *foreman-proxy* user instead of the *remote execution* user

Expected behavior:
Satellite should not try to switch to the *foreman-proxy* user, but should switch to the configured *remote execution* user (e.g. *rexuser*)

Business Impact / Additional info:

The specific line that is causing the issue:

 ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

We can comment this out, and the Satellite no longer tries to switch to the *foreman-proxy* user.

relates to

SAT-18399 REX jobs through jump hosts are failing as ProxyCommand=none is hard coded

Closed

Assignee:: Unassigned

Reporter:: Michael Yoder

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/08/08 5:07 PM

Updated:: 2025/10/14 10:23 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates