[Puppet - Bug #3872] ssh_authorized_key intended behaviour?

Thu, 03 Jun 2010 00:41:27 -0700 

Issue #3872 has been updated by Brad Meier.


class accounts::testuser_a {

  ssh_authorized_key { "test_a":
    name => "test_a_key1",
    type => dsa,
    ensure => absent,
    user => "test_a",
    key => 
"ABCDB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8"
  }

  ssh_authorized_key { "test_a_new":
    name => "test_a_key2",
    type => dsa,
    ensure => present,
    user => "test_a",
    key => 
"VXYZB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8"
  }

}


class accounts::testuser_b {

  ssh_authorized_key { "test_b":
    name => "test_b_key",
    type => dsa,
    ensure => present,
    user => "test_b",
    key => 
"1234B3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQ
CBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2o
PWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8"
  }

}

testuser_a has an authorized_keys of:

ssh-dss 
VXYZB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8
 test_a_key2
ssh-dss 
ABCDB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8
 test_a_key1



testuser_b has an authorized_keys of:

ssh-dss 
1234B3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY
vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWY
N9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 
test_b_key
ssh-dss 
ABCDB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY
vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWY
N9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8 
test_a_key1


Now I run puppetd on a target system that has those two included in its catalog:

info: Applying configuration version '1275550126'
notice: //accounts::testuser_a/Ssh_authorized_key[test_a]/ensure: removed
info: Filebucket[/var/lib/puppet/clientbucket]: Adding 
/home/testuser_a/.ssh/authorized_keys(7fcc046763b3d737f641fca43f327cd9)


testuser_b now has an authorized_keys of:

ssh-dss 
1234B3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8
 test_b_key


testuser_a's authorized_keys hasn't changed yet...


Run puppetd again on the system:

info: Applying configuration version '1275550126'
notice: //accounts::testuser_a/Ssh_authorized_key[test_a]/ensure: removed
info: Filebucket[/var/lib/puppet/clientbucket]: Adding 
/home/testuser_a/.ssh/authorized_keys(6a2e67978633b06a431c2e95b2df4b2


Now testuser_b's authorized_keys hasn't changed (since it is missing and 
testuser_a has what I would have expected after the first run:

ssh-dss 
VXYZB3NzaC1kc3MAAACBANR/oSVRI+wOFotpn5sGAWeRXfus8SgQxy8DYOf1YB6ZsiYae0aqhPyb0zgvYrFF265Qx7fTkF3oG8BT3k16eDPRqSpYUuMczk/zq9FYOsAjNDa243XEbIR4oKs8Sx/p70aZs9Ml+2XKYslZ7USfCtTp9frjhDKyXPCqhuGTcznBAAAAFQDRWF13UsITIuspV2bONVtiEbrqPwAAAIEAnfYnfAobtTQhCBY6vdwRy4YA8CYtW19kNMwKf5E7Y7VaxzEg5x3p0I1LAI1YwUiqcu75QCdpqjSrp1bllIDEtqxRg1Vd3LVVueXuv8uN4SbaKX2KLZpk99smOnp9Ka93YV5ILOmnl0NoubTjd34vghQ1W+26ZmmkVgI4xVHM1VoAAACBANO1VQa0WmpCZgJlj3aqcHi2OhdKokkqqkvY7IZ5Ng+QcKh0nZAHPbDzffAOG+O2omtZlIx+HFMiRdqqmmQtSQjxe2ogPWYON9D3KrOdDl+Oq1IS+B5ynrJsExqdeWY+lw0H0aA/XS/agBpooM3oXJr4lTBkGCNtT71hPILY8su8
 test_a_key2

----------------------------------------
Bug #3872: ssh_authorized_key intended behaviour?
http://projects.puppetlabs.com/issues/3872

Author: Brad Meier
Status: Needs more information
Priority: Normal
Assigned to: 
Category: ssh
Target version: 
Affected version: 0.25.4
Keywords: 
Branch: 


I was replacing a user's authorized key by using an ssh_authorized_key with 
ensure => absent and adding a differently named key with an ensure => present 
below it.  Both defined the user parameter.  But the key was removed from a 
different user's authorized_keys (they had the same key, with the same name in 
their keyring).  

So, user A has key 1 and key 2, I want key 1 removed, key 2 added.  User B has 
key 1 also in his authorized_keys, is also defined on the same system.

If I set user A's key 1 to be removed from user A's authorized_keys (user => A) 
it proceeds to remove it from User B's authorized_keys and anywhere else it 
finds it. As long as the authorized_keys file has a reference in a user 
definition, it removes key 1.  

Is the ensure => absent supposed to remove the key by key name only and ignore 
the user => A part?


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to