#7367 Problem when configuring sshd_config using ansible blockinfile on IDM clients.
Opened 2 years ago by rcritten. Modified 2 years ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1527974

Description of problem:

ipa-client-install adds following lines in the sshd_config file, before the
last "Match user" line:

KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody

https://github.com/freeipa/freeipa/blob/master/ipaclient/install/client.py#L978


But... when configuring this file with ansible using blockinfile tasks, it adds
some blocks like:

# BEGIN ANSIBLE MANAGED BLOCK
Match User backup
        PasswordAuthentication yes
# END ANSIBLE MANAGED BLOCK


And here is the problem, ipa-client-install is adding the parameters before the
Match line, but after the ansible comment:

# BEGIN ANSIBLE MANAGED BLOCK
KerberosAuthentication no
PubkeyAuthentication yes
UsePAM yes
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
GSSAPIAuthentication yes
ChallengeResponseAuthentication yes
AuthorizedKeysCommandUser nobody

Match User backup
        PasswordAuthentication yes
# END ANSIBLE MANAGED BLOCK


Next ansible iteration will remove the lines configured by ipa-client-install,
because they have been added inside the ansible managed block, and it will left
only the ansible related lines:

 # BEGIN ANSIBLE MANAGED BLOCK
Match User backup
        PasswordAuthentication yes
# END ANSIBLE MANAGED BLOCK



Version-Release number of selected component (if applicable): RHEL 7.3


How reproducible:


Steps to Reproduce:
1. Modify sshd_config file with a blockinfile ansible task
2. Register server on IdM using ipa-client-install
3. Run ansible again

Actual results:

ipa-client-install modifications are removed from the sshd_file because they
are added inside the ANSIBLE MANAGED BLOCK

Expected results:

Modification should be done searching for the parameters inside the file, and
modifying the default value or adding a block checking if it is being added
inside a block managed by a different automation system (ansible, or any other)

Additional info:

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1527974

2 years ago

Metadata Update from @rcritten:
- Issue priority set to: important

2 years ago

Login to comment on this ticket.

Metadata