Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-7594

SSH authorized_keys file is recreated if a user does not exist and when there are multiple user/ssh_authorized_key resources declaration

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: sshkeys_core
    • Labels:
    • Environment:

      Puppet master

      OS: CentOS 7.2.1511 x86_64
      Puppetserver: 2.4.0-1.el7.noarch
      Puppetdb: 4.1.2-1.el7.noarch

      Puppet agent

      OS: CentOS 6.7 x86_64
      Puppetagent: 1.5.2-1.el6.x86_64

    • Template:
    • Acceptance Criteria:
      Hide

      authorized_keys file shouldn't be modified if it has proper content and the user does not exist (which involves creating user action).

      Show
      authorized_keys file shouldn't be modified if it has proper content and the user does not exist (which involves creating user action).
    • Team:
      Coremunity

      Description

      An authorized_keys file is recreated if a user does not exist and when there are multiple user/ssh_authorized_key resources declaration.

      First user/ssh_authorized_key declaration works as expected and the authorized_keys file is parsed and not modified.

      For all other users the file is modified in case user does not exist.

      How to reproduce


      1. code

          group { 't':
            ensure => present,
            gid => 550,
          }
         
          file { '/home/test':
            ensure  => 'directory',
            owner   => 'test',
            group   => 550,
            mode    => '0755',
            require => User['test'],
          }
          file { "/home/test/.ssh":
            ensure  => 'directory',
            owner   => 'test',
            group   => 550,
            mode    => '0700',
            require => File['/home/test'],
          }
          user { 'test':
            ensure         => present,
            uid            => 10051,
            gid            => 550,
            groups         => [],
            home           => '/home/test',
            managehome     => true,
            password       => undef,
            purge_ssh_keys => true,
            system         => false,
            shell          => undef,
            allowdupe      => true,
          }
          ssh_authorized_key { 'test@test':
            ensure => present,
            user   => 'test',
            type   => 'ssh-rsa',
            key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDV3KORznWjPHBG3ZspDBawRBJWOIIyuRh/10rF8b9Vn1dgP/NjT+Xq58gCIB1n0/kfJo2jq2YfQ1sz9aqqxUxI+23LAlrD4r472cPWCwDWDQovXslHhxRiDhPfER4vK3k+tSCCQjDhBfgnsTRERM7CKjw3VxDJeHEnfDAl585FD6Fs6FD9kXQtsIHyNOOFFeCG5WppDYIsl+//6Nls/FUkrCjbikoS9fGBY3j17smv5BDYY+Nw40hxJoxbSp1ucmQy5fkdwQOw1/R7glL3c0cqGyiHmadO5stXp0yDtBf3cUzayZjhcLOOaivJjGcFZLEHX1V9xPeY5TC8PBv3ctZx'
          }
         
          file { '/home/test2':
            ensure  => 'directory',
            owner   => 'test2',
            group   => 550,
            mode    => '0755',
            require => User['test2'],
          }
          file { "/home/test2/.ssh":
            ensure  => 'directory',
            owner   => 'test2',
            group   => 550,
            mode    => '0700',
            require => File['/home/test2'],
          }
          user { 'test2':
            ensure         => present,
            uid            => 10052,
            gid            => 550,
            groups         => [],
            home           => '/home/test2',
            managehome     => true,
            password       => undef,
            purge_ssh_keys => true,
            system         => false,
            shell          => undef,
            allowdupe      => true,
          }
          ssh_authorized_key { 'test2@test2':
            ensure => present,
            user   => 'test2',
            type   => 'ssh-rsa',
            key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDV3KORznWjPHBG3ZspDBawRBJWOIIyuRh/10rF8b9Vn1dgP/NjT+Xq58gCIB1n0/kfJo2jq2YfQ1sz9aqqxUxI+23LAlrD4r472cPWCwDWDQovXslHhxRiDhPfER4vK3k+tSCCQjDhBfgnsTRERM7CKjw3VxDJeHEnfDAl585FD6Fs6FD9kXQtsIHyNOOFFeCG5WppDYIsl+//6Nls/FUkrCjbikoS9fGBY3j17smv5BDYY+Nw40hxJoxbSp1ucmQy5fkdwQOw1/R7glL3c0cqGyiHmadO5stXp0yDtBf3cUzayZjhcLOOaivJjGcFZLEHX1V9xPeY5TC8PBv3ctZx'
          }
         
          file { '/home/test3':
            ensure  => 'directory',
            owner   => 'test3',
            group   => 550,
            mode    => '0755',
            require => User['test3'],
          }
          file { "/home/test3/.ssh":
            ensure  => 'directory',
            owner   => 'test3',
            group   => 550,
            mode    => '0700',
            require => File['/home/test3'],
          }
          user { 'test3':
            ensure         => present,
            uid            => 10053,
            gid            => 550,
            groups         => [],
            home           => '/home/test3',
            managehome     => true,
            password       => undef,
            purge_ssh_keys => true,
            system         => false,
            shell          => undef,
            allowdupe      => true,
          }
          ssh_authorized_key { 'test3@test3':
            ensure => present,
            user   => 'test3',
            type   => 'ssh-rsa',
            key    => 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDV3KORznWjPHBG3ZspDBawRBJWOIIyuRh/10rF8b9Vn1dgP/NjT+Xq58gCIB1n0/kfJo2jq2YfQ1sz9aqqxUxI+23LAlrD4r472cPWCwDWDQovXslHhxRiDhPfER4vK3k+tSCCQjDhBfgnsTRERM7CKjw3VxDJeHEnfDAl585FD6Fs6FD9kXQtsIHyNOOFFeCG5WppDYIsl+//6Nls/FUkrCjbikoS9fGBY3j17smv5BDYY+Nw40hxJoxbSp1ucmQy5fkdwQOw1/R7glL3c0cqGyiHmadO5stXp0yDtBf3cUzayZjhcLOOaivJjGcFZLEHX1V9xPeY5TC8PBv3ctZx'
          }
        

      2. puppet agent --debug --verbose --no-daemonize --onetime
      3. remove user 'test' and run puppet agent again

        Info: Caching catalog for *****
        Debug: Creating default schedules
        Debug: Loaded state in 0.09 seconds
        Debug: User[test] parsed for purging Ssh_authorized_key[test@test]
        Debug: User[test2] parsed for purging Ssh_authorized_key[test2@test2]
        Debug: User[test3] parsed for purging Ssh_authorized_key[test3@test3]
        Info: Applying configuration version '1478534587'
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test]/require: subscribes to User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test/.ssh]/require: subscribes to File[/home/test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2]/require: subscribes to User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2/.ssh]/require: subscribes to File[/home/test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3]/require: subscribes to User[test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3/.ssh]/require: subscribes to File[/home/test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test/.ssh]: Adding autorequire relationship with User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test@test]: Adding autorequire relationship with User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2/.ssh]: Adding autorequire relationship with User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test2]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test2@test2]: Adding autorequire relationship with User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3/.ssh]: Adding autorequire relationship with User[test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test3]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test3@test3]: Adding autorequire relationship with User[test3]
        Debug: Executing: '/usr/sbin/useradd -g 550 -d /home/test -u 10051 -o -m test'
        Notice: /Stage[main]/Dax_profiles::Auth_keys_test/User[test]/ensure: created
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test]: The container Class[Dax_profiles::Auth_keys_test] will propagate my refresh event
        Debug: Prefetching parsed resources for ssh_authorized_key
        Debug: Class[Dax_profiles::Auth_keys_test]: The container Stage[main] will propagate my refresh event
        Debug: Finishing transaction 34442180
        Debug: Storing state
        Debug: Stored state in 0.14 seconds
        Notice: Applied catalog in 0.46 seconds
        

      4. remove user 'test2' and run puppet agent

        Info: Caching catalog for *****
        Debug: Creating default schedules
        Debug: Loaded state in 0.09 seconds
        Debug: User[test] parsed for purging Ssh_authorized_key[test@test]
        Debug: User[test2] parsed for purging Ssh_authorized_key[test2@test2]
        Debug: User[test3] parsed for purging Ssh_authorized_key[test3@test3]
        Info: Applying configuration version '1478534587'
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test]/require: subscribes to User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test/.ssh]/require: subscribes to File[/home/test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2]/require: subscribes to User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2/.ssh]/require: subscribes to File[/home/test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3]/require: subscribes to User[test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3/.ssh]/require: subscribes to File[/home/test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test/.ssh]: Adding autorequire relationship with User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test@test]: Adding autorequire relationship with User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2/.ssh]: Adding autorequire relationship with User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test2]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test2@test2]: Adding autorequire relationship with User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3/.ssh]: Adding autorequire relationship with User[test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test3]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test3@test3]: Adding autorequire relationship with User[test3]
        Debug: Prefetching parsed resources for ssh_authorized_key
        Debug: The required user is not yet present on the system
        Debug: Executing: '/usr/sbin/useradd -g 550 -d /home/test2 -u 10052 -o -m test2'
        Notice: /Stage[main]/Dax_profiles::Auth_keys_test/User[test2]/ensure: created
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test2]: The container Class[Dax_profiles::Auth_keys_test] will propagate my refresh event
        Notice: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test2@test2]/ensure: created
        Info: Computing checksum on file /home/test2/.ssh/authorized_keys
        Debug: Flushing ssh_authorized_key provider target /home/test2/.ssh/authorized_keys
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test2@test2]: The container Class[Dax_profiles::Auth_keys_test] will propagate my refresh event
        Debug: Class[Dax_profiles::Auth_keys_test]: The container Stage[main] will propagate my refresh event
        Debug: Finishing transaction 29048120
        Debug: Storing state
        Debug: Stored state in 0.14 seconds
        Notice: Applied catalog in 0.49 seconds
        

      5. remove user 'test3' and run puppet agent

        Info: Caching catalog for *****
        Debug: Creating default schedules
        Debug: Loaded state in 0.09 seconds
        Debug: User[test] parsed for purging Ssh_authorized_key[test@test]
        Debug: User[test2] parsed for purging Ssh_authorized_key[test2@test2]
        Debug: User[test3] parsed for purging Ssh_authorized_key[test3@test3]
        Info: Applying configuration version '1478535202'
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test]/require: subscribes to User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test/.ssh]/require: subscribes to File[/home/test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2]/require: subscribes to User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2/.ssh]/require: subscribes to File[/home/test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3]/require: subscribes to User[test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3/.ssh]/require: subscribes to File[/home/test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test/.ssh]: Adding autorequire relationship with User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test@test]: Adding autorequire relationship with User[test]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test2/.ssh]: Adding autorequire relationship with User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test2]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test2@test2]: Adding autorequire relationship with User[test2]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/File[/home/test3/.ssh]: Adding autorequire relationship with User[test3]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test3]: Adding autorequire relationship with Group[t]
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test3@test3]: Adding autorequire relationship with User[test3]
        Debug: Prefetching parsed resources for ssh_authorized_key
        Debug: The required user is not yet present on the system
        Debug: Executing: '/usr/sbin/useradd -g 550 -d /home/test3 -u 10053 -o -m test3'
        Notice: /Stage[main]/Dax_profiles::Auth_keys_test/User[test3]/ensure: created
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/User[test3]: The container Class[Dax_profiles::Auth_keys_test] will propagate my refresh event
        Notice: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test3@test3]/ensure: created
        Info: Computing checksum on file /home/test3/.ssh/authorized_keys
        Debug: Flushing ssh_authorized_key provider target /home/test3/.ssh/authorized_keys
        Debug: /Stage[main]/Dax_profiles::Auth_keys_test/Ssh_authorized_key[test3@test3]: The container Class[Dax_profiles::Auth_keys_test] will propagate my refresh event
        Debug: Class[Dax_profiles::Auth_keys_test]: The container Stage[main] will propagate my refresh event
        Debug: Finishing transaction 40419220
        Debug: Storing state
        Debug: Stored state in 0.14 seconds
        Notice: Applied catalog in 0.44 seconds
        

      The authorized_key file content is flushed and recreated by Puppet agent for the 2nd and 3rd user which is not expected.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                echeglov Eugeniu Ceglov
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Zendesk Support