On Wed, Mar 23, 2016 at 1:46 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
Le 23 mars 2016 à 12:28, Yedidyah Bar David <didi@redhat.com> a écrit :
On Wed, Mar 23, 2016 at 1:04 PM, Fabrice Bacchella <fabrice.bacchella@orange.fr> wrote:
I'm reading the documentation here : http://www.ovirt.org/documentation/admin-guide/serial-console-setup/
After a few strace, I found the ssh configuration used for the custom ssh that listen on port 2222: /usr/share/ovirt-vmconsole/ovirt-vmconsole-proxy/ovirt-vmconsole-proxy-sshd/sshd_config
And I have a big problem with it. It says "GSSAPIAuthentication no" but public key authentication is not allowed in my data center, we use kerberos every where. So I wonder if I can edit this file ? How is it managed by ovirt ?
In general, things under /usr are only packaged, not "managed". So a next upgrade will overwrite your changes.
Ok, so I just need to take care how modifications and upgrade are done (using puppet) and everything should be fine.
But isn't the below enough?
Seems like both its systemd unit and sysv init script read /etc/sysconfig/ovirt-vmconsole-proxy-sshd if it exists and add ${OPTIONS} to sshd's command line. So you can try to:
echo 'OPTIONS="-o GSSAPIAuthentication=yes"' >> /etc/sysconfig/ovirt-vmconsole-proxy-sshd
I tried that. It works. I now have pure kerberos only problems. But that's a good direction.
Good. So that should be enough, no? IIRC command-line options override conf file in sshd, no need to play games with rpm/yum. Thanks for the report. Best, -- Didi