The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

Bug #2014

sshkey creates /etc/ssh/ssh_known_hosts with mode 600

Added by Todd Zullinger over 5 years ago. Updated 10 months ago.

Status:AcceptedStart date:02/22/2009
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:ssh
Target version:-
Affected Puppet version:0.24.7 Branch:
Keywords:ssh known_hosts

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket is now tracked at: https://tickets.puppetlabs.com/browse/PUP-1177


Description

Using the sshkey type /etc/ssh/ssh_known_hosts is created with mode 600 by default. This seems undesirable in most situations. I think the default should be 644. I didn’t see anything obvious in the sshkey code that set it strictly on purpose. Does puppet default to 600 somewhere? And is there a simple way to tweak a type to use a different mode? This seems like a similar issue to #1538. Of course, it’s not an inifile, so the fix will be different.


Related issues

Related to Puppet - Bug #2158: Nagios files are created mode 600 Accepted 04/14/2009

History

#1 Updated by James Turnbull over 5 years ago

  • Status changed from Unreviewed to Accepted
  • Target version set to 0.24.8

#2 Updated by Luke Kanies over 5 years ago

  • Assignee set to Luke Kanies

#3 Updated by Luke Kanies over 5 years ago

  • Target version changed from 0.24.8 to 2.6.0

While I agree that this is a bug, it’s not a new bug (just one it took a long time for someone to complain about), so I don’t think it’s worth holding 0.24.8 for. And it’s a relatively difficult bug to fix, because the code for writing the file is so far from the code that decides what gets written. Certainly complicated enough that I don’t want its fix going into the hopefully-entirely-stable 0.24.8 release.

#4 Updated by Todd Zullinger over 5 years ago

Holding off sounds like a good plan. I think a number of the parsed provider resources could benefit from a clean fix in this area, rather than adding special cases for each instance. :)

If it’s possible when refactoring things, something that might be quite useful is to have a mode param for these resources, so that users who don’t agree with the defaults can change them easily without adding a mostly redundant file resource. For some of the types (yumrepo and ssh keys come to mind), the name/path of the file isn’t always straightforward to determine, so adding a file resource to modify the mode can often be more work than it needs to be.

Thanks!

#5 Updated by Luke Kanies over 5 years ago

I agree on solving them generally. Really, though, the better way is to support a File resource to manage them, rather than having other Puppet subsystems acquire file attributes.

#6 Updated by Rob Madole over 4 years ago

On a Gentoo box, not only did it create the file with 600 but the owner was root while I needed it to be “robmadole”. Sure, easy enough to fix with the file resource, but I like the way that ssh_authorized_keys works. You specify a user and just as I expected, file ownership and permissions were setup properly.

#7 Updated by James Turnbull over 4 years ago

  • Target version changed from 2.6.0 to 2.7.x

#8 Updated by Luke Kanies over 4 years ago

  • Assignee deleted (Luke Kanies)

#9 Updated by Malcolm Locke over 2 years ago

Just for the record, this is still affecting users today. For example, me. Today.

#10 Updated by Jay Reitz almost 2 years ago

And me. Yesterday.

#11 Updated by Andrew Parker almost 2 years ago

  • Target version deleted (2.7.x)

#12 Updated by Matthew Barr over 1 year ago

Just hit this bug. Could you at least put a note in the documentation? If you’re not going to fix it, then at least don’t confuse us.

#13 Updated by Anonymous 10 months ago

Redmine Issue #2014 has been migrated to JIRA:

https://tickets.puppetlabs.com/browse/PUP-1177

Also available in: Atom PDF