Issue #7888 has been updated by Stefan Schulte.
You shouln't specify a comment with the key property. The name of the resource
is what puppet uses as a comment for the key. So you should specifiy
<pre>
ssh_authorized_key { "[email protected]":
ensure => present,
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc...[truncated]...+Kno9w==',
user => 'nagios',
}
</pre>
In your example you specified the following:
<pre>
ssh_authorized_key { "nagios":
ensure => present,
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc...+Kno9w== [email protected]',
user => 'nagios',
}
</pre>
On the first puppetrun puppet creates the key an adds the following line to the
authorized_keys file
<pre>
[type] [key] [name] => 'ssh-rsa AAAAB3NzaC1yc...+Kno9w==
[email protected] nagios'
</pre>
You'll notice that the key has the comment `[email protected] nagios`
in the file. And that is how puppet parses this line when you run puppet again:
<pre>
ssh_authorized_key { '[email protected] nagios':
type => 'ssh-rsa'
key => 'AAAAB3NzaC1yc...+Kno9w=='
}
</pre>
Because this doesnt match the resource you specified in your manifest puppet
adds your key again.
So in my opinion the best solution is raise an error when a user uses a
delimiter (here whitespace) in the keyproperty.
----------------------------------------
Bug #7888: ssh_authorized_key keeps adding the same key if key-hostname
specified
https://projects.puppetlabs.com/issues/7888
Author: mark risher
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version: 2.6.4
Keywords:
Branch:
If the `key` value in the `ssh_authorized_key` resource contains a comment at
the end, puppet will continue adding the key to the authorized_keys file on
every run. This yields an authorized_keys file with dozens or hundreds of
identical, redundant rows.
For example, consider the following:
ssh_authorized_key { "nagios":
ensure => present,
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc...[truncated]...+Kno9w==
[email protected]',
user => 'nagios',
}
With this resource, on every run of puppet, the `nagios` user's authorized_keys
file will receive another copy of the same stupid key. To work around it,
remove the `[email protected]` from the end, making the `key` end
with `==`:
ssh_authorized_key { "nagios":
ensure => present,
type => 'ssh-rsa',
key => 'AAAAB3NzaC1yc...[truncated]...+Kno9w==',
user => 'nagios',
}
The reason people are adding this field, is because that is what appears in
your `id_rsa.pub` when you create it.
The fix is among: 1) documentation change, 2) stop adding keys just because
that field is present, or 3) reject the key if it has this field present.
Observed in Puppet versions up through 2.6.4
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
