[Puppet - Bug #14809] Puppet confuses itself based on ssh key comment

[tickets]

Issue #14809 has been updated by Jo Rhett.


Actually, this object seems to be very very confused.  It seems to report 
errors based on the previous user's name at times. Rerunning it solves the 
problem entirely:

notice: 
/Stage[main]/Users::Allusers/User_and_key[user1]/Ssh_authorized_key[user1]/ensure:
 created
info: FileBucket adding {md5}42a187f3fb78850f5d9da657688dda00
err: 
/Stage[main]/Users::Allusers/User_and_key[user1]/Ssh_authorized_key[user1]: 
Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write 
/home/user2/.ssh/authorized_keys: Permission denied - 
/home/user2/.ssh/authorized_keys
notice: 
/Stage[main]/Users::Allusers/User_and_key[user3]/Ssh_authorized_key[user3]/ensure:
 created
info: FileBucket adding {md5}1968f3b3552c9a65a5d0dd2ba9989008
err: 
/Stage[main]/Users::Allusers/User_and_key[user3]/Ssh_authorized_key[user3]: 
Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write 
/home/user2/.ssh/authorized_keys: Permission denied - 
/home/user2/.ssh/authorized_keys

Huh? Rerunning puppet agent --test gives us:

notice: 
/Stage[main]/Users::Allusers/User_and_key[user1]/Ssh_authorized_key[user1]/ensure:
 created
info: FileBucket got a duplicate file {md5}42a187f3fb78850f5d9da657688dda00

...etc

So there's some "state" in the ssh_authorized_key which appears to get very 
very confused.

----------------------------------------
Bug #14809: Puppet confuses itself based on ssh key comment
https://projects.puppetlabs.com/issues/14809#change-64568

Author: Jo Rhett
Status: Unreviewed
Priority: Normal
Assignee: 
Category: agent
Target version: 
Affected Puppet version: 2.7.14
Keywords: 
Branch: 


So I've found an interesting issue. If you add a key to a managed ssh key file 
that happens to have as a comment the same name as a valid key in a different 
user's file, puppet complains:

Here's an example manifest:
<pre>

        ssh_authorized_key{ 'otheruser':
            ensure  => present,
            name    => 'otheruser',
            user    => 'otheruser',
            target  => "/etc/ssh/keys/otheruser",
            type    => 'ssh-rsa',
            key     => 'blahblahblah',
        } 

        ssh_authorized_key{ 'jorhett':
            ensure  => present,
            name    => 'jorhett',
            user    => 'jorhett',
            target  => "/etc/ssh/keys/jorhett",
            type    => 'ssh-rsa',
            key     => 'nienienie',
        } 

</pre>

Here's the output:
<pre>
notice: Ignoring --listen on onetime run
info: Caching catalog for testhost
info: Applying configuration version '1338837310'
notice: 
/Stage[main]/Users::Netops/User_and_key[jorhett]/Ssh_authorized_key[jorhett]/ensure:
 created
notice: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[jonv]/ensure:
 created
notice: Finished catalog run in 54.27 seconds
</pre>

Here's the very confusing error message when you add another key which matches 
a different user:
<pre>
root@testhost keys$ cat otheruser >> jorhett 
root@testhost keys$ puppet agent --test
notice: Ignoring --listen on onetime run
info: Caching catalog for testhost
info: Applying configuration version '1338837237'
notice: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/user:
 user changed 'jorhett' to 'otheruser'
notice: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/target:
 target changed '/etc/ssh/keys/jorhett' to '/etc/ssh/keys/otheruser'
info: FileBucket adding {md5}c6ce524a1e92ad3540259d73126678a2
err: 
/Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]:
 Could not evaluate: Permission denied - /etc/ssh/keys/jorhett
notice: Finished catalog run in 54.19 seconds
</pre>

You'll notice that those messages make absolutely no sense at all.  

The reason for fixing this is:

1. It's not impossible or even unlikely for one user to add another user's key 
to their own authorized keys file

2. I own my own key file, so I could easily change the comment to match another 
user's name

This seems like an odd suspension of disbelief, where puppet is believing and 
using data from a user-editable file.  Thankfully it doesn't seem to work, but 
concerns me none the less.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.