scale_prepare_enable_ssh_login adds duplicate conflicting config setting #473
Comments
|
I see now that the line it's matching and changing is this one:
|
|
Also see from ansible lineinfile documentation that the expected behaviour is that the regexp will replace the last match.
So a simple workaround would be to improve the regexp to ignore lines that are commented out. |
janfrode
added a commit
to janfrode/ibm-spectrum-scale-install-infra
that referenced
this issue
Apr 22, 2021
…uration. This fixes issue IBM#473 where enabling scale_prepare_enable_ssh_login would cause duplicate PermitRootLogin lines if it was already configured to something else than "yes". Signed-off-by: Jan-Frode Myklebust <[email protected]>
|
Ideally I would set it to "without-password", which would be the secure default. But I'm afraid that might break something for existing users who expect the current behaviour. |
|
@janfrode Can we close this issue. Thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I normally have "PermitRootLogin without-password", to only allow key-based root logins, so I tested if "scale_prepare_enable_ssh_login: true" would overwrite that to the less secure "PermitRootLogin yes". Surprisingly I then ended up with 2 lines of PermitRootLogin in the sshd_config:
To Reproduce
Change to "PermitRootLogin without-password":
and the rerun core/precheck with "scale_prepare_enable_ssh_login: true".
Expected behavior
Should end up with one active line of "PermitRootLogin yes".
Environment
Please run the following an paste your output here:
Screenshots
Additional context
Not completely sure what the correct behaviour should be, but definitely not ending up with two conflicting lines of the same config setting. I think it would be best if it defaulted to changing from "no" to "without-password" as a secure default, and what we actually need for Scale.
The text was updated successfully, but these errors were encountered: