console/sshd: test_cryptographic_policies: ensure known host keys don't get dropped

[g7]

Since OpenSSH 8.5 [0], UpdateHostKeys is enabled by default on the ssh client configuration.

Calling the ssh client with -o HostKeyAlgorithms=<single_algorithm> would then drop the other, now "foreign" algorithms from ~/.ssh/known_hosts, making the subsequent HostKeyAlgorithms tests fail.

This commit fixes that by adding -o UpdateHostKeys=no on the test command, so that the ssh client will not try to change the known_hosts file anymore.

UpdateHostKeys is available since OpenSSH 6.8 [1] so every SLE-15 release should be covered, and SLE-12-SP5 as well.

[0] https://www.openssh.com/txt/release-8.5
[1] openssh/openssh-portable@8d4f872

• Related ticket: https://progress.opensuse.org/issues/156058
• Verification run: https://openqa.suse.de/tests/13604341

[foursixnine]

can you also test with openSUSE and an old SP? say 15-SP5?

[g7]

v2: shortened the commit summary

@foursixnine Validation run against SP5-QR: https://openqa.suse.de/tests/13606045

for openSUSE you mean Tumbleweed? If I understand correctly that part is not tested at all in TW.

[jlausuch]

v2: shortened the commit summary

@foursixnine Validation run against SP5-QR: https://openqa.suse.de/tests/13606045

Is this enough? Is this also backwards compatible? Let's say 12-SP5?

for openSUSE you mean Tumbleweed? If I understand correctly that part is not tested at all in TW.

here an example: https://openqa.opensuse.org/tests/3968432#step/sshd/1

[g7]

v2: shortened the commit summary
@foursixnine Validation run against SP5-QR: https://openqa.suse.de/tests/13606045

Is this enough? Is this also backwards compatible? Let's say 12-SP5?

12-SP5 (and SP4) ship 7.2p2 so it should be covered there as well. Can I test that against SLE-12-SP5 somehow from the internal openQA instance? I'm getting lost through all the groups 😅

for openSUSE you mean Tumbleweed? If I understand correctly that part is not tested at all in TW.

here an example: https://openqa.opensuse.org/tests/3968432#step/sshd/1

Thanks. I don't have enough privileges to do that on o3. Could you or someone else please try it against TW using this repo?

https://github.com/g7/os-autoinst-distri-opensuse/tree/sshd-hostkeyalgorithms-factory

(it's exactly the same change here but with the unless (is_opensuse) removed)

Thanks!

[jlausuch]

Ok, I'm running 2 more VRs:

• Factory: https://openqa.opensuse.org/tests/3969574
• 12-SP5: http://openqa.suse.de/tests/13629394

[foursixnine]

Ok, I'm running 2 more VRs:

* Factory: https://openqa.opensuse.org/tests/3969574

* 12-SP5: http://openqa.suse.de/tests/13629394

Thanks a lot @jlausuch

[foursixnine]

Ok, I'm running 2 more VRs:

* Factory: https://openqa.opensuse.org/tests/3969574

* 12-SP5: http://openqa.suse.de/tests/13629394

Thanks a lot @jlausuch

Here are the two with the correct repos: 1 job has been created:

• opensuse-Tumbleweed-JeOS-for-kvm-and-xen-x86_64-Build20240227-jeos@64bit_virtio -> https://openqa.opensuse.org/tests/3969589
  Cloning parents of sle-12-SP5-Server-DVD-Updates-x86_64-Build20240227-1-mau-extratests1@64bit
  1 job has been created:
• sle-12-SP5-Server-DVD-Updates-x86_64-Build20240227-1-mau-extratests1@64bit -> http://openqa.suse.de/tests/13629399

[foursixnine]

@g7 can you remove the is_opensuse? can you create the follow up to remove the is_opensuse? both tests passed on the second branch