The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #7009

Puppet ssh_authorized_keys fails on one account if key with same name exists in another account

Added by John Goerzen about 5 years ago. Updated over 2 years ago.

Status:AcceptedStart date:04/07/2011
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Affected Puppet version:2.6.2 Branch:
Keywords:

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com

This ticket is now tracked at: https://tickets.puppetlabs.com/browse/PUP-1175


Description

Hello,

I have been trying to debug this very strange error:

err: /Stage[main]/Accounts::Human::Sshkeys/Ssh_authorized_key[jgoerzen@wile]: Could not evaluate: No such file or directory – /home/jgoerzen/.ssh/authorized_keys

I observed that it went away if I changed the name “jgoerzen@wile” to “jgoerzen@wile2” in my Puppet .pp files.

This is a “virtual” resource (defined with an @) that is, of course, realized. This bug is a bit finicky and sometimes doesn’t present itself; it seems to be less likely to present itself if used without being virtual.

I completely rebuilt the Puppet client node multiple times trying to track this down. Here’s what seems to be the cause:

  • Puppet is creating the jgoerzen user directly, and ssh_authorized_keys is creating the single entry jgoerzen@wile for that account.
  • Puppet also manages root’s authorized_keys file. Puppet has been configured to add two entries to it, unrelated to jgoerzen@wile.
  • Before installing Puppet, /root/.ssh/authorized_keys already contained an entry for jgoerzen@wile. Puppet contained no instructions for what to do with this entry and left it in root’s authorized_keys file.
  • This appears to have caused a great deal of confusion. If I rename this entry in root’s authorized_keys file (again, outside Puppet, since Puppet wasn’t putting it there), then jgoerzen’s authorized_keys file is created as appropriate.

I could make the error go away by manually creating ~jgoerzen/.ssh and ~jgoerzen/.ssh/authorized_keys, but even if I did that, Puppet still wasn’t putting the key in it.


Related issues

Related to Puppet - Feature #1581: Ability to purge .ssh/authorized_keys Accepted 09/19/2008
Related to Puppet - Bug #1531: ssh_authorized_keys should not use the key 'comment' as a... Accepted 08/25/2008

History

#1 Updated by Ben Hughes about 5 years ago

  • Status changed from Unreviewed to Needs More Information
  • Assignee set to Ben Hughes

Is it possible to get an example of the resource and how you’re realizing it please?

The ssh_authorized_key code will create the directory as it goes and the file too, so it’s odd that creating it alters the outcome.

#2 Updated by John Goerzen about 5 years ago

Sure.

keys changed to protect the innocent….

class accounts::human::sshkeys {
  @ssh_authorized_key {"jgoerzen@wile":
    key => "...",
    user => "jgoerzen",
    type => "ssh-rsa",
    tag => "humanuser",
    require => File["/home/jgoerzen"]
  }
}

...

Inside a definition:

  Ssh_authorized_key <| user == $name |>

I too noticed the code about creating a directory. I am guessing that it is somehow getting confused seeing the same key in root’s authorized_keys and not bothering to check.

#3 Updated by Ben Hughes about 5 years ago

  • Status changed from Needs More Information to Accepted

#4 Updated by Anonymous almost 5 years ago

Bump

I just ran into this as well. I think the solution is to not alias the key with the comment. We should support multiple resources with different titles using the same key and comment.

[root@centos56 ~]# puppet apply -v  --graph --graphdir /vagrant/tmp/$(facter hostname) --modulepath /vagrant/modules /vagrant/modules/accounts/tests/init_yaml.pp
Puppet::Parser::AST::Resource failed with error ArgumentError: Cannot alias Ssh_authorized_key[dan_ssh-rsa_jeff+moduledevkey@puppetlabs.com] to ["jeff+moduledevkey@puppetlabs.com"]; resource ["Ssh_authorized_key", ["jeff+moduledevkey@puppetlabs.com"]] already exists at /vagrant/modules/accounts/manifests/init.pp:134 on node centos56.localdomain

#5 Updated by Ben Hughes over 3 years ago

  • Status changed from Accepted to Unreviewed
  • Assignee changed from Ben Hughes to eric sorenson

#6 Updated by eric sorenson over 3 years ago

  • Status changed from Unreviewed to Accepted

I don’t know when this will get some investigation and love, but I’ve associated it with the other big ssh_authorized_keys bug I know of , #1581, in hopes that they will both be addressed at the same time.

#7 Updated by eric sorenson over 3 years ago

  • Assignee deleted (eric sorenson)

#8 Updated by Anonymous over 2 years ago

Redmine Issue #7009 has been migrated to JIRA:

https://tickets.puppetlabs.com/browse/PUP-1175

Also available in: Atom PDF