Issue #14809 has been reported by Jo Rhett.

----------------------------------------
Bug #14809: Puppet confuses itself based on ssh key comment
https://projects.puppetlabs.com/issues/14809

Author: Jo Rhett
Status: Unreviewed
Priority: Normal
Assignee: 
Category: agent
Target version: 
Affected Puppet version: 2.7.14
Keywords: 
Branch: 


So I've found an interesting issue. If you add a key to a managed ssh key file 
that happens to have as a comment the same name as a valid key in a different 
user's file, puppet complains:

Here's an example manifest:
<pre>

        ssh_authorized_key{ 'otheruser':
            ensure  => present,
            name    => 'otheruser',
            user    => 'otheruser',
            target  => "/etc/ssh/keys/otheruser",
            type    => 'ssh-rsa',
            key     => 'blahblahblah',
        } 

        ssh_authorized_key{ 'jorhett':
            ensure  => present,
            name    => 'jorhett',
            user    => 'jorhett',
            target  => "/etc/ssh/keys/jorhett",
            type    => 'ssh-rsa',
            key     => 'nienienie',
        } 

</pre>

Here's the output:
<pre>
notice: Ignoring --listen on onetime run
info: Caching catalog for testhost
info: Applying configuration version '1338837310'
notice: 
/Stage[main]/Users::Netops/User_and_key[jorhett]/Ssh_authorized_key[jorhett]/ensure:
 created
notice: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[jonv]/ensure:
 created
notice: Finished catalog run in 54.27 seconds
</pre>

Here's the very confusing error message when you add another key which matches 
a different user:
<pre>
root@testhost keys$ cat otheruser >> jorhett 
root@testhost keys$ puppet agent --test
notice: Ignoring --listen on onetime run
info: Caching catalog for testhost
info: Applying configuration version '1338837237'
notice: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/user:
 user changed 'jorhett' to 'otheruser'
notice: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/target:
 target changed '/etc/ssh/keys/jorhett' to '/etc/ssh/keys/otheruser'
info: FileBucket adding {md5}c6ce524a1e92ad3540259d73126678a2
err: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]:
 Could not evaluate: Permission denied - /etc/ssh/keys/jorhett
notice: Finished catalog run in 54.19 seconds
</pre>

You'll notice that those messages make absolutely no sense at all.  

The reason for fixing this is:

1. It's not impossible or even unlikely for one user to add another user's key 
to their own authorized keys file

2. I own my own key file, so I could easily change the comment to match another 
user's name

This seems like an odd suspension of disbelief, where puppet is believing and 
using data from a user-editable file.  Thankfully it doesn't seem to work, but 
concerns me none the less.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to