Issue #19994 has been updated by Charlie Sharpsteen. Status changed from Re-opened to Investigating Assignee changed from Roger Kennedy to Charlie Sharpsteen
Re-produced under 3.2.4 as well. Re-production steps: Apply the test manifest given in the [first comment](http://projects.puppetlabs.com/issues/19994#note-1) of this issue: <pre> # puppet apply /vagrant/19994-ssh-keys.pp Notice: /Stage[main]//Group[frank]/ensure: created Notice: /Stage[main]//Group[bob]/ensure: created Notice: /Stage[main]//User[bob]/ensure: created Notice: /Stage[main]//Ssh_authorized_key[bob_2]/ensure: created Notice: /Stage[main]//User[frank]/ensure: created Notice: /Stage[main]//Ssh_authorized_key[frank_1]/ensure: created Notice: /Stage[main]//Ssh_authorized_key[frank_2]/ensure: created Notice: /Stage[main]//Ssh_authorized_key[bob_1]/ensure: created Notice: Finished catalog run in 0.27 seconds </pre> Mess with the permissions for one of the users and purge the ssh keys: <pre> chown -R vagrant:vagrant /home/bob rm -f /home/bob/.ssh/authorized_keys /home/frank/.ssh/authorized_keys </pre> Try to apply the manifest again: <pre> # puppet apply /vagrant/19994-ssh-keys.pp Notice: /Stage[main]//Ssh_authorized_key[bob_2]/ensure: created Error: /Stage[main]//Ssh_authorized_key[bob_2]: Could not evaluate: Permission denied - /home/bob/.ssh Notice: /Stage[main]//Ssh_authorized_key[frank_1]/ensure: created Error: Puppet::Util::FileType::FileTypeFlat could not write /home/bob/.ssh/authorized_keys: Permission denied - /home/bob/.ssh/authorized_keys Error: /Stage[main]//Ssh_authorized_key[frank_1]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /home/bob/.ssh/authorized_keys: Permission denied - /home/bob/.ssh/authorized_keys Notice: /Stage[main]//Ssh_authorized_key[frank_2]/ensure: created Error: Puppet::Util::FileType::FileTypeFlat could not write /home/bob/.ssh/authorized_keys: Permission denied - /home/bob/.ssh/authorized_keys Error: /Stage[main]//Ssh_authorized_key[frank_2]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /home/bob/.ssh/authorized_keys: Permission denied - /home/bob/.ssh/authorized_keys Notice: /Stage[main]//Ssh_authorized_key[bob_1]/ensure: created Error: /Stage[main]//Ssh_authorized_key[bob_1]: Could not evaluate: Permission denied - /home/bob/.ssh Notice: Finished catalog run in 0.12 seconds </pre> A failure for bob is expected, what is unexpected is that puppet will attempt to write _every key_ to the user with damaged permissions. Looking into a root cause. ---------------------------------------- Bug #19994: Puppet attempts to write authorized keys to the wrong user https://projects.puppetlabs.com/issues/19994#change-96696 * Author: Nick Chappell * Status: Investigating * Priority: Normal * Assignee: Charlie Sharpsteen * Category: ssh * Target version: * Affected Puppet version: 2.7.22 * Keywords: customer * Branch: ---------------------------------------- Puppet is attempting to write SSH authorized keys to the wrong users' ~/.ssh/authorized_keys file. This is different than http://projects.puppetlabs.com/issues/13973 as the temporary file is successfully created during the run. However, because Puppet writes an authorized key with the permissions of the user the key is for (due to https://puppetlabs.com/security/cve/cve-2011-3870/ ), writing to another user's authorized_keys causes the Puppet run to fail. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
