Problem
Using Foreman Remote Execution over SSH with FreeIPA authentication.
Remote execution works correctly when the SSH user is hard‑coded (e.g. a FreeIPA automation user or a specific FreeIPA user).
However, when configuring:
SSH user = #{current_user.login}
Remote execution fails, even when:
-
The logged‑in Foreman UI user exists in FreeIPA
-
The user can SSH manually to the managed hosts
-
The Smart Proxy SSH public key is present in the user’s FreeIPA SSH keys
-
Password fields are empty
-
Sudo (ALL + !authenticate) is configured correctly
Hard‑coding the same FreeIPA user in the SSH user setting works, but the dynamic form does not.
Expected outcome
Clarification on whether per‑user Remote Execution (running jobs using the identity of the currently logged‑in Foreman user) is:
-
Supported
-
Partially supported (with constraints)
-
Not supported by design
If not supported, confirmation that #{current_user.login} should not be relied on for SSH Remote Execution would be helpful, as it is accepted by the UI and appears in documentation/examples.
Environment
-
Foreman: 3.12.x
-
Smart Proxy: 3.12.x
-
Remote Execution plugin: standard Foreman 3.12
-
OS: Oracle Linux 8 / 9
-
Identity management: FreeIPA
-
Authentication: SSH key‑based
-
Katello: installed (content not used)
Question
Is #{current_user.login} intended to provide true per‑user SSH Remote Execution, or is it only username substitution without support for per‑user SSH identities?
If unsupported, we would like confirmation so we can standardize on a dedicated automation user. Or any plan to take this into considerations and add it to work like this?