TEST: Current value of ssh_hash_known_hosts causes error in the default configuration in FIPS mode

[dparmar18]

Explanation

• In SSSD the default value for ssh_hash_known_hosts is set to true,
  It should be changed to false for consistency with the OpenSSH
  setting that does not hashes hostnames by default

Verifies
Issue: #5848
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2014249

[sgoveas]

Looks good to me

[alexey-tikhonov]

Where is this host added at IPA server?

[alexey-tikhonov]

Can't you use action="delete" unconditionally (without check option is present first)? What happens if you try to delete non-existent option?

[dparmar18]

If I try to delete that doesn't exist then it will throw exception

[alexey-tikhonov]

Doesn't it support "nothrow" mode/arg?
But even if it throws, it would be easier to try/catch than to check.

[dparmar18]

The test case will be skipped upon encountering an exception therefore as discussed I'll have to stick with this.

[alexey-tikhonov]

How does is it work in case exception is handled in place?

[dparmar18]

Usually, it would skip from there but I found a workaround for expecting an exception and still continue the execution, I'll push it if it succeeds.

[alexey-tikhonov]

What "it"?
If you handle exception in place it doesn't propagate anywhere.

[alexey-tikhonov]

I don't understand this.

1. You assign a key to client[0].sys_hostname but later test looks for master[0].sys_hostname. This doesn't make sense.
   Probably this works because IPA master has own key always set? I don't know this. Could you please check?

2. ssh-keyscan should be used to figure out key of a host, not a new random key generated and assigned in IPA db.
   (but answer to 1) is more important)

[dparmar18]

1. I'm not assigning a key to client[0].sys_hostname, here I'm running this command on the server that adds a key bound with the client host. It will be like ipa host-mod client.ipa.test --sshpubkey="$(cat /tmp/ssh_host0003_rsa.pub)" --updatedns where client.ipa.test is a client i.e client[0].sys_hostname

[alexey-tikhonov]

You can call it "bound" instead of "assign" but that doesn't change a thing.

Later test looks for server_host (if server_host in known_hosts.stdout_text ...), not for a "client.ipa.test".

[dparmar18]

yes because SSH is being done on client:
multihost.client[0].run_command(cmd,stdin_text="Secret123",raiseonerr=False)

[alexey-tikhonov]

yes because SSH is being done on client: multihost.client[0].run_command(cmd,stdin_text="Secret123",raiseonerr=False)

It doesn't matter where ssh is being executed - every node will receive the same map from the server.
This is just a mean to trigger known-hosts list update.

Your test makes sure client's key (fingerprint) is specified in the list, but searches for server's key.

[dparmar18]

Working on this now, thanks for acknowledging.

[alexey-tikhonov]

And it still fails pycodestyle:

./src/tests/multihost/ipa/test_misc.py:388:58: W292 no newline at end of file

[dparmar18]

And it still fails pycodestyle:

./src/tests/multihost/ipa/test_misc.py:388:58: W292 no newline at end of file

I hope it passes now, have pushed the required changes

[alexey-tikhonov]

Please rebase to the latest master branch.

[dparmar18]

This PR had conflicts while rebasing, therefore here is the new PR with everything sorted: #5996