Issue #14809 has been reported by Jo Rhett.
----------------------------------------
Bug #14809: Puppet confuses itself based on ssh key comment
https://projects.puppetlabs.com/issues/14809
Author: Jo Rhett
Status: Unreviewed
Priority: Normal
Assignee:
Category: agent
Target version:
Affected Puppet version: 2.7.14
Keywords:
Branch:
So I've found an interesting issue. If you add a key to a managed ssh key file
that happens to have as a comment the same name as a valid key in a different
user's file, puppet complains:
Here's an example manifest:
<pre>
ssh_authorized_key{ 'otheruser':
ensure => present,
name => 'otheruser',
user => 'otheruser',
target => "/etc/ssh/keys/otheruser",
type => 'ssh-rsa',
key => 'blahblahblah',
}
ssh_authorized_key{ 'jorhett':
ensure => present,
name => 'jorhett',
user => 'jorhett',
target => "/etc/ssh/keys/jorhett",
type => 'ssh-rsa',
key => 'nienienie',
}
</pre>
Here's the output:
<pre>
notice: Ignoring --listen on onetime run
info: Caching catalog for testhost
info: Applying configuration version '1338837310'
notice:
/Stage[main]/Users::Netops/User_and_key[jorhett]/Ssh_authorized_key[jorhett]/ensure:
created
notice:
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[jonv]/ensure:
created
notice: Finished catalog run in 54.27 seconds
</pre>
Here's the very confusing error message when you add another key which matches
a different user:
<pre>
root@testhost keys$ cat otheruser >> jorhett
root@testhost keys$ puppet agent --test
notice: Ignoring --listen on onetime run
info: Caching catalog for testhost
info: Applying configuration version '1338837237'
notice:
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/user:
user changed 'jorhett' to 'otheruser'
notice:
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/target:
target changed '/etc/ssh/keys/jorhett' to '/etc/ssh/keys/otheruser'
info: FileBucket adding {md5}c6ce524a1e92ad3540259d73126678a2
err:
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]:
Could not evaluate: Permission denied - /etc/ssh/keys/jorhett
notice: Finished catalog run in 54.19 seconds
</pre>
You'll notice that those messages make absolutely no sense at all.
The reason for fixing this is:
1. It's not impossible or even unlikely for one user to add another user's key
to their own authorized keys file
2. I own my own key file, so I could easily change the comment to match another
user's name
This seems like an odd suspension of disbelief, where puppet is believing and
using data from a user-editable file. Thankfully it doesn't seem to work, but
concerns me none the less.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
