When using puppetrun SSH provider without sudo, the foreman-proxy user run directy "ssh" command. This command fails because no SHELL variable is defined for this user. The default install defines this user with /bin/false.

Without the variable, ssh client fails without trying to connect to server :

[root@foremandev foreman-proxy]# sudo -u foreman-proxy ssh -i /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy bot.foreman@10.10.20.10 -vvvv
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 62: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 10.10.20.10
debug1: permanently_drop_suid: 996
debug1: identity file /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy type 1
debug1: key_load_public: No such file or directory
debug1: identity file /usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
ssh_exchange_identification: Connection closed by remote host

Trying with sudo -u foreman-proxy SHELL=/bin/bash ssh -i .................. works without problem.

I dont know what is the "best" fix for this, but as a temporary workaround, I added a SHELL environment variable in the systemd env file for foreman-proxy service :

[root@foremandev foreman-proxy]# cat /etc/sysconfig/foreman-proxy 
SHELL=/bin/bash

By the way, should the "--no-daemonize" be added to the default puppet run command set up by the installer, since usually puppet agent is run as a daemon ? (and prevent running another puppet agent with the pid file)