Re: [ansible-project] Re: authorized_keys module is deleting too many line when using state: absent

Thu, 28 May 2020 16:57:14 -0700 

I ran some tests 

created on vagrant some ssh files and created a authorized_keys with 
duplicates and tried to add/remove a line that is not a duplicate 

the result is that if there is a line  to be added/removed from the 
authorized_keys files the duplicates are also removed if there are no lines 
found to be removed then nothing happens

illustration: 

authorized keys files notice the publicates in line 1,4,5 line 4 has a 
different comment line 5 has no comment 

ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 
vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgAOaG6REJxdsfOQmyLhpQ8Q+j0qNyiUuqlYLk6
/j5M vagrant@localhost.localdomain
ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIMc8GxolEFe89BjWEnT3fHfqnL5eVMt8aw2ZJ54Iu6dX 
vagrant@localhost.localdomain
ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 
ansible
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/
tIyl0pLAlNGxjci4lsXjY4

this is a playbook to add a new line.. to remove is the same principle ;

---
- hosts: localhost
  gather_facts: false
  vars:
    keyfile: "{{ lookup('file', 'test_eckey4.pub') }}"

  tasks:
    - name: print keyfile contents
      debug:
        msg: "{{ keyfile }}"
    - name: remove public key
      authorized_key:
        path: ./test_authorized_keys
        user: vagrant
        state: present
        key: "{{ keyfile }}"


the output ; 

LAY [localhost] 
*************************************************************************************************************************************************************************

TASK [print keyfile contents] 
************************************************************************************************************************************************************
ok: [localhost] => {
    "msg": "ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIDn1SXhFU1uZbZKUGRDWHoHovewh5BTIoAqcK/uMf8F0 
vagrant@localhost.localdomain"
}

TASK [remove public key] 
*****************************************************************************************************************************************************************
--- before: ./test_authorized_keys
+++ after: ./test_authorized_keys
@@ -1,5 +1,4 @@
-ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 
vagrant@localhost.localdomain
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgAOaG6REJxdsfOQmyLhpQ8Q+
j0qNyiUuqlYLk6/j5M vagrant@localhost.localdomain
 ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIMc8GxolEFe89BjWEnT3fHfqnL5eVMt8aw2ZJ54Iu6dX 
vagrant@localhost.localdomain
-ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 
ansible
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/
tIyl0pLAlNGxjci4lsXjY4
+ssh-ed25519 
AAAAC3NzaC1lZDI1NTE5AAAAIDn1SXhFU1uZbZKUGRDWHoHovewh5BTIoAqcK/uMf8F0 
vagrant@localhost.localdomain
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/
tIyl0pLAlNGxjci4lsXjY4

changed: [localhost]

PLAY RECAP 
*******************************************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0 
   skipped=0    rescued=0    ignored=0



notice how the lines 1,4,5 are removed.. the requested ssh key is added the 
llast line form the dupes is readed at the botton of the file 

this is a neat feature but the fact that there is no documentation at all 
causes concern if i have to remove a key in a 25 line authrozed key and see 
that 10  lines are gone. while I only requested one is to be honest 
baffling I think that what caused concern with the OP rsa keys are not as 
easy to read than  ed25519 

HTH.

On Thursday, May 28, 2020 at 2:52:08 PM UTC-5, Felix Fontein wrote:
>
> Hi all, 
>
> > On Thu, 28 May 2020 at 19:31, 'Mario Garcia' via Ansible Project 
> > <ansible...@googlegroups.com <javascript:>> wrote: 
> > > 
> > > I am working on it to provide you an use case.. but. 
> > > 
> > > is by any chance the authorizing_file modules sanitizing aka 
> > > removing duplicates entries on the remote authorized_key file  even 
> > > if it was not in the key string passed to be removed   
> > 
> > No, there is no such sanitizing thing. 
>
> I just looked at the code 
> (
> https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py).
>  
>
> It does indeed remove duplicates. It puts all lines of authorized_keys 
> into a dictionary, indexed by the actual key: 
>
> https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py#L450-L461
>  
>
> The value in the dictionary contains more information so that the file 
> can be rebuilt - except that duplicate keys won't survive. 
>
> It's probably a good idea to mention that in the module docs. If 
> someone wants to create a PR for that (it's a good start to trying PRs 
> for collections!), feel free! 
>
> Cheers, 
> Felix 
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/392ec7aa-0cf4-4b81-a873-fbd2d3dfbeac%40googlegroups.com.

Reply via email to