The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #2014

sshkey creates /etc/ssh/ssh_known_hosts with mode 600

Added by Todd Zullinger about 7 years ago. Updated over 2 years ago.

Status:AcceptedStart date:02/22/2009
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version:0.24.7 Branch:
Keywords:ssh known_hosts

We've Moved!

Ticket tracking is now hosted in JIRA:

This ticket is now tracked at:


Using the sshkey type /etc/ssh/ssh_known_hosts is created with mode 600 by default. This seems undesirable in most situations. I think the default should be 644. I didn’t see anything obvious in the sshkey code that set it strictly on purpose. Does puppet default to 600 somewhere? And is there a simple way to tweak a type to use a different mode? This seems like a similar issue to #1538. Of course, it’s not an inifile, so the fix will be different.

Related issues

Related to Puppet - Bug #2158: Nagios files are created mode 600 Accepted 04/14/2009


#1 Updated by James Turnbull about 7 years ago

  • Status changed from Unreviewed to Accepted
  • Target version set to 0.24.8

#2 Updated by Luke Kanies about 7 years ago

  • Assignee set to Luke Kanies

#3 Updated by Luke Kanies about 7 years ago

  • Target version changed from 0.24.8 to 2.6.0

While I agree that this is a bug, it’s not a new bug (just one it took a long time for someone to complain about), so I don’t think it’s worth holding 0.24.8 for. And it’s a relatively difficult bug to fix, because the code for writing the file is so far from the code that decides what gets written. Certainly complicated enough that I don’t want its fix going into the hopefully-entirely-stable 0.24.8 release.

#4 Updated by Todd Zullinger about 7 years ago

Holding off sounds like a good plan. I think a number of the parsed provider resources could benefit from a clean fix in this area, rather than adding special cases for each instance. :)

If it’s possible when refactoring things, something that might be quite useful is to have a mode param for these resources, so that users who don’t agree with the defaults can change them easily without adding a mostly redundant file resource. For some of the types (yumrepo and ssh keys come to mind), the name/path of the file isn’t always straightforward to determine, so adding a file resource to modify the mode can often be more work than it needs to be.


#5 Updated by Luke Kanies about 7 years ago

I agree on solving them generally. Really, though, the better way is to support a File resource to manage them, rather than having other Puppet subsystems acquire file attributes.

#6 Updated by Rob Madole over 6 years ago

On a Gentoo box, not only did it create the file with 600 but the owner was root while I needed it to be “robmadole”. Sure, easy enough to fix with the file resource, but I like the way that ssh_authorized_keys works. You specify a user and just as I expected, file ownership and permissions were setup properly.

#7 Updated by James Turnbull over 6 years ago

  • Target version changed from 2.6.0 to 2.7.x

#8 Updated by Luke Kanies almost 6 years ago

  • Assignee deleted (Luke Kanies)

#9 Updated by Malcolm Locke about 4 years ago

Just for the record, this is still affecting users today. For example, me. Today.

#10 Updated by Jay Reitz over 3 years ago

And me. Yesterday.

#11 Updated by Anonymous over 3 years ago

  • Target version deleted (2.7.x)

#12 Updated by Matthew Barr almost 3 years ago

Just hit this bug. Could you at least put a note in the documentation? If you’re not going to fix it, then at least don’t confuse us.

#13 Updated by Anonymous over 2 years ago

Redmine Issue #2014 has been migrated to JIRA:

Also available in: Atom PDF