#7676 ipa-client-install changes system wide ssh configuration
Closed: fixed 3 years ago by rcritten. Opened 5 years ago by abiagion.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1544379

Description of problem:
ipa-client-install changes /etc/ssh/ssh_config, it may cause issue for system
running along side with ipa client.

It adds following line to ssh_config:

  ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

which is trying to execute '/usr/bin/sss_ssh_knownhostsproxy' command even with
users which don't have shell, so it always fails to 'ssh'.

An example is oVirt. We execute ssh externaly with ovirt user which don't have
shell. So it always fails. Please consider removing 'ProxyCommand' from
ssh_config.

Version-Release number of selected component (if applicable):
ipa-client-install --version
4.6.3

How reproducible:
always

Steps to Reproduce:
1. Run ipa-client-install
2. Try to run ssh with user with /sbin/nologin shell.

Actual results:
Fail.

Expected results:
Success.

Additional info:

Metadata Update from @abiagion:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1544379

5 years ago

master:

  • 15b30e1 Create IPA ssh client configuration and move ProxyCommand
  • 16616e5 ipatests: Test that Match ProxyCommand masks on no shell exec

ipa-4-9:

  • a525b2e Create IPA ssh client configuration and move ProxyCommand
  • d89e3ab ipatests: Test that Match ProxyCommand masks on no shell exec

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

master:

  • dfa0842 ipatests: See if nologin supports -c before asserting message

ipa-4-9:

  • ca9f8d1 ipatests: See if nologin supports -c before asserting message

Metadata Update from @abbra:
- Custom field changelog adjusted to Skip ProxyCommand wrapper in SSH configuration in case user is configured with /sbin/nologin to allow automated tools to operate as expected

3 years ago

The spawning of shell on each outgoing ssh client connection significantly increase the overall operation time. For example,
in Match exec true case

[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'

5.99user 8.43system 0:15.22elapsed 94%CPU (0avgtext+0avgdata 6572maxresident)k
0inputs+0outputs (0major+6746minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
6.08user 8.02system 0:14.81elapsed 95%CPU (0avgtext+0avgdata 6536maxresident)k
0inputs+0outputs (0major+6767minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'

5.43user 9.05system 0:14.77elapsed 98%CPU (0avgtext+0avgdata 6540maxresident)k
0inputs+0outputs (0major+6753minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
5.42user 8.98system 0:14.85elapsed 97%CPU (0avgtext+0avgdata 6560maxresident)k
0inputs+0outputs (0major+7212minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
5.84user 8.89system 0:15.74elapsed 93%CPU (0avgtext+0avgdata 6528maxresident)k
0inputs+0outputs (0major+6725minor)pagefaults 0swaps

without match rule:

[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
2.71user 4.82system 0:09.43elapsed 79%CPU (0avgtext+0avgdata 6552maxresident)k
0inputs+0outputs (0major+4967minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
2.54user 4.47system 0:08.92elapsed 78%CPU (0avgtext+0avgdata 6604maxresident)k
0inputs+0outputs (0major+4985minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
2.62user 4.59system 0:08.74elapsed 82%CPU (0avgtext+0avgdata 6560maxresident)k
0inputs+0outputs (0major+4999minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
2.65user 4.46system 0:09.48elapsed 75%CPU (0avgtext+0avgdata 6512maxresident)k
0inputs+0outputs (0major+4977minor)pagefaults 0swaps
[root@master1 /]# time bash -c 'for a in $(seq 10); do ssh root@localhost true; done;'
2.60user 4.54system 0:09.30elapsed 76%CPU (0avgtext+0avgdata 6508maxresident)k
0inputs+0outputs (0major+4989minor)pagefaults 0swaps

I think this is unacceptable.

For example, user can disable ProxyCommand at all:

sudo -u ruser sshpass -p Secret123 ssh -v -o ProxyCommand=none -o StrictHostKeyChecking=no tuser@localhost true

BTW with this patch, the drop-in configuration for SSH differs from the modified one (without 'Include').

Login to comment on this ticket.

Metadata