Issue #14809 has been updated by Kelsey Hightower. Status changed from Unreviewed to Accepted
---------------------------------------- Bug #14809: Puppet confuses itself based on ssh key comment https://projects.puppetlabs.com/issues/14809#change-64629 Author: Jo Rhett Status: Accepted Priority: Normal Assignee: Category: agent Target version: Affected Puppet version: 2.7.14 Keywords: Branch: So I've found an interesting issue. If you add a key to a managed ssh key file that happens to have as a comment the same name as a valid key in a different user's file, puppet complains: Here's an example manifest: <pre> ssh_authorized_key{ 'otheruser': ensure => present, name => 'otheruser', user => 'otheruser', target => "/etc/ssh/keys/otheruser", type => 'ssh-rsa', key => 'blahblahblah', } ssh_authorized_key{ 'jorhett': ensure => present, name => 'jorhett', user => 'jorhett', target => "/etc/ssh/keys/jorhett", type => 'ssh-rsa', key => 'nienienie', } </pre> Here's the output: <pre> notice: Ignoring --listen on onetime run info: Caching catalog for testhost info: Applying configuration version '1338837310' notice: /Stage[main]/Users::Netops/User_and_key[jorhett]/Ssh_authorized_key[jorhett]/ensure: created notice: /Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[jonv]/ensure: created notice: Finished catalog run in 54.27 seconds </pre> Here's the very confusing error message when you add another key which matches a different user: <pre> root@testhost keys$ cat otheruser >> jorhett root@testhost keys$ puppet agent --test notice: Ignoring --listen on onetime run info: Caching catalog for testhost info: Applying configuration version '1338837237' notice: /Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/user: user changed 'jorhett' to 'otheruser' notice: /Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]/target: target changed '/etc/ssh/keys/jorhett' to '/etc/ssh/keys/otheruser' info: FileBucket adding {md5}c6ce524a1e92ad3540259d73126678a2 err: /Stage[main]/Users::Netops/User_and_key[otheruser]/Ssh_authorized_key[otheruser]: Could not evaluate: Permission denied - /etc/ssh/keys/jorhett notice: Finished catalog run in 54.19 seconds </pre> You'll notice that those messages make absolutely no sense at all. The reason for fixing this is: 1. It's not impossible or even unlikely for one user to add another user's key to their own authorized keys file 2. I own my own key file, so I could easily change the comment to match another user's name This seems like an odd suspension of disbelief, where puppet is believing and using data from a user-editable file. Thankfully it doesn't seem to work, but concerns me none the less. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
