Jira (PUP-9812) With "root" account, Puppet "ssh_authorized_keys" create file "authorized_keys" & change the owner & group

2019-07-22 Thread Jacob Helwig (JIRA) 
Title: Message Title


 
 
 
 

 
 
 

 
   
 Jacob Helwig commented on  PUP-9812  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
  Re: With "root" account, Puppet "ssh_authorized_keys" create file "authorized_keys" & change the owner & group   
 

  
 
 
 
 

 
 Writing the authorized_keys file as root is not really something we should be doing in the sshkeys_core module's ssh_authorized_key type. The provider intentionally drops root permissions as it is intended to be modifying a file in a user's home directory, where we can't trust that the file path hasn't been modified in a malicious way. For example, a user could point their .ssh directory to another user via a symlink in order to take over that authorized_keys file, and determining what would be "safe" for the entire file path leading up to where the authorized_keys file would be stored for that particular user is not really something that we can do for all cases. For operating in a controlled environment such as the one described, using the File type directly to manage the content of the authorized_keys file, or using the concat module to manage individual keys in a single file would be a much better fit.  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)  
 
 

 
   
 

  
 

  
 

   





-- 
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.314737.1561946548000.25651.1563819660282%40Atlassian.JIRA.

Jira (PUP-9812) With "root" account, Puppet "ssh_authorized_keys" create file "authorized_keys" & change the owner & group

2019-07-15 Thread Josh Cooper (JIRA) 
Title: Message Title


 
 
 
 

 
 
 

 
   
 Josh Cooper updated an issue  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Puppet /  PUP-9812  
 
 
  With "root" account, Puppet "ssh_authorized_keys" create file "authorized_keys" & change the owner & group   
 

  
 
 
 
 

 
Change By: 
 Josh Cooper  
 

  
 
 
 
 

 
 ``` {code:puppet} ssh_authorized_key { 'ever...@magpie.example.com': ensure => present, user => 'everetv', type => 'ssh-rsa', key => 'B3Nza[...]qXfdaQ==', target => '/opt/sysadm/etc/ssh_keys/everetv/authorized_keys', } ``` {code}   By default, in this example, the resource type "ssh_authorized_key" looks for the file "authorized_keys" owned by the specific user "everetv" inside the directory "/opt/sysadm/etc/ssh_keys/everetv/". In the secure environment,  this file can't be created as a specific user and end with following error. ``` {noformat} Error: /Stage[main]/Main/Ssh_authorized_key[ever...@magpie.example.com]: Could not evaluate: Permission denied @ dir_s_mkdir - /opt/sysadm/etc/ssh_keys/everetv  ``` {noformat} Running agent service as root, there should be a feature to create the key file and change an owner and group as per property is given while defining the resource.This feature will be very handy to deal with the security requirement of the organization where the "non-root" account is not permitted to create the files.This case is raised in connection with customer ticket "https://puppetlabs.zendesk.com/agent/tickets/35293"  
 

  
 
 
 
 

 
 
 

 
 
 Add Comment  
 

  
 

  
 
 
 
  
 

  
 
 
 
 

 
 This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

Jira (PUP-9812) With "root" account, Puppet "ssh_authorized_keys" create file "authorized_keys" & change the owner & group

2019-06-30 Thread Maheswaran Shanmugam (JIRA) 
Title: Message Title


 
 
 
 

 
 
 

 
   
 Maheswaran Shanmugam created an issue  
 

  
 
 
 
 

 
 
  
 
 
 
 

 
 Puppet /  PUP-9812  
 
 
  With "root" account, Puppet "ssh_authorized_keys" create file "authorized_keys" & change the owner & group   
 

  
 
 
 
 

 
Issue Type: 
  New Feature  
 
 
Assignee: 
 Unassigned  
 
 
Components: 
 Types and Providers  
 
 
Created: 
 2019/06/30 7:02 PM  
 
 
Environment: 
 This case is tested with: PE: 2018.1.x v OS: RHEL 6.9 and Centos 7.0  
 
 
Priority: 
  Major  
 
 
Reporter: 
 Maheswaran Shanmugam  
 

  
 
 
 
 

 
 ``` ssh_authorized_key  { 'ever...@magpie.example.com': ensure => present, user => 'everetv', type => 'ssh-rsa', key => 'B3Nza[...]qXfdaQ==', target => '/opt/sysadm/etc/ssh_keys/everetv/authorized_keys', } ``` By default, in this example, the resource type "ssh_authorized_key" looks for the file "authorized_keys" owned by the specific user "everetv" inside the directory "/opt/sysadm/etc/ssh_keys/everetv/". In the secure environment, this file can't be created as a specific user and end with following error. ``` Error: /Stage[main]/Main/Ssh_authorized_key[ever...@magpie.example.com]: Could not evaluate: Permission denied @ dir_s_mkdir - /opt/sysadm/etc/ssh_keys/everetv  ``` Running agent service as root, there should be a feature to create the key file and change an owner and group as per property is given while defining the resource. This feature will be very handy to deal with the security requirement of the organization where the "non-root" account is not permitted to create the files. This case is raised in connection with customer ticket "https://puppetlabs.zendesk.com/agent/tickets/35293"