The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #3872

ssh_authorized_key intended behaviour?

Added by Brad Meier almost 6 years ago. Updated over 4 years ago.

Status:Needs More InformationStart date:05/25/2010
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:ssh
Target version:-
Affected Puppet version:0.25.4 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

I was replacing a user’s authorized key by using an ssh_authorized_key with ensure => absent and adding a differently named key with an ensure => present below it. Both defined the user parameter. But the key was removed from a different user’s authorized_keys (they had the same key, with the same name in their keyring).

So, user A has key 1 and key 2, I want key 1 removed, key 2 added. User B has key 1 also in his authorized_keys, is also defined on the same system.

If I set user A’s key 1 to be removed from user A’s authorized_keys (user => A) it proceeds to remove it from User B’s authorized_keys and anywhere else it finds it. As long as the authorized_keys file has a reference in a user definition, it removes key 1.

Is the ensure => absent supposed to remove the key by key name only and ignore the user => A part?


Related issues

Related to Puppet - Bug #1531: ssh_authorized_keys should not use the key 'comment' as a... Accepted 08/25/2008

History

#1 Updated by James Turnbull almost 6 years ago

  • Status changed from Unreviewed to Needs More Information

Can you include the manifest please so I can take a look? Thanks.

#2 Updated by Brad Meier almost 6 years ago

class accounts::testuser_a {

  ssh_authorized_key { "test_a":
    name => "test_a_key1",
    type => dsa,
    ensure => absent,
    user => "test_a",
    key => "ABCDB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8"
  }

  ssh_authorized_key { "test_a_new":
    name => "test_a_key2",
    type => dsa,
    ensure => present,
    user => "test_a",
    key => "VXYZB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8"
  }

}

class accounts::testuser_b {

  ssh_authorized_key { "test_b":
    name => "test_b_key",
    type => dsa,
    ensure => present,
    user => "test_b",
    key => "1234B3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQ
CBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2o
PWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8"
  }

}

testuser_a has an authorized_keys of:

ssh-dss VXYZB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 test_a_key2
ssh-dss ABCDB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 test_a_key1

testuser_b has an authorized_keys of:

ssh-dss 1234B3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBYvdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYN9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 test_b_key
ssh-dss ABCDB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBYvdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYN9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 test_a_key1

Now I run puppetd on a target system that has those two included in its catalog:

info: Applying configuration version '1275550126'
notice: //accounts::testuser_a/Ssh_authorized_key[test_a]/ensure: removed
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /home/testuser_a/.ssh/authorized_keys(7fcc046763b3d737f641fca43f327cd9)

testuser_b now has an authorized_keys of:

ssh-dss 1234B3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 test_b_key

testuser_a’s authorized_keys hasn’t changed yet…

Run puppetd again on the system:

info: Applying configuration version '1275550126'
notice: //accounts::testuser_a/Ssh_authorized_key[test_a]/ensure: removed
info: Filebucket[/var/lib/puppet/clientbucket]: Adding /home/testuser_a/.ssh/authorized_keys(6a2e67978633b06a431c2e95b2df4b2

Now testuser_b’s authorized_keys hasn’t changed (since it is missing and testuser_a has what I would have expected after the first run:

ssh-dss VXYZB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 test_a_key2

My apologies for any formatting hell above!

#3 Updated by Nigel Kersten over 4 years ago

MY EYES!

/me goes to clean up formatting with pre tags.

#4 Updated by Daniel Johnson over 4 years ago

I think that it should be made to be possible to do either. In the situation that a sysadmin leaves the organization, or worse their laptop is stolen you probably want to remove their ssh keys in every possible place that they exist. In most situations though it seems like you would want the behavior to be user specific.

Also available in: Atom PDF