Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-9578

sshkeys_core : Cannot create ssh_authorized_key file in custom directory.

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: sshkeys_core
    • Labels:
      None
    • Environment:
    • Template:
      MODULES Bug Template
    • Team:
      Night's Watch
    • Story Points:
      3
    • Sprint:
      NW - 2019-08-21, NW - 2019-09-03, NW - 2019-09-18, NW - 2019-10-02, NW - 2019-10-16, NW - 2019-10-30
    • Method Found:
      Needs Assessment
    • Release Notes:
      New Feature
    • Release Notes Summary:
      Hide
      This feature adds a new parameter, `drop_privileges` which when set to false allows the module to write a ssh_authorized_key file in a privileged path. Due to the possible security implications of this, the parameter must be manually specified in order to activate this functionality.
          
      A path is considered to be privileged/trusted if all of its ancestors:
          - do not contain any symlinks
          - have the same owner as the user who runs Puppet
          - are not world/group writable
      Show
      This feature adds a new parameter, `drop_privileges` which when set to false allows the module to write a ssh_authorized_key file in a privileged path. Due to the possible security implications of this, the parameter must be manually specified in order to activate this functionality.      A path is considered to be privileged/trusted if all of its ancestors:     - do not contain any symlinks     - have the same owner as the user who runs Puppet     - are not world/group writable
    • QA Risk Assessment:
      Needs Assessment

      Description

      Basic Info
      Module Version: master
      Puppet Version: 6.6.0
      OS Name/Version: CentOS Linux release 7.6.1810 (Core)

      The ssh_authorized_key resource cannot create a keyfile in the /etc/ssh/local_keys folder, which is owned by `root`.

      # puppet apply -e "ssh_authorized_key { 'robvin': ensure => 'present', name => 'robert.vincent@conning.com', user => 'robvin', key => 'AAAAB3NzaC1yc2EAAA
      ADAQABAAACAQDaiH2dkXP8UPvHnMKcKtmf9bETx8efi1+UrqWJxhjhb5XxneggyquJqvJlsS548qrTHnePFFcuTAuE7aPz3jfLp0RLJ6KRZyTqShyzQvBSecGoEvJoeyF3BrJL/sLVEa92ijG7CLM8dlVkvyicgLkemX6KrYo8neCKYFSPi2xIhGZx5SddUrVwM5arpB2t4Hn9sy6y2FVbraqt9q34133GeCIe6NqhGvtHVGJExemtMtzdOE7NaLbmwK4j5+u9Yip8zB20rF05jdH8IVa0TnZUTuvAxrHgK/y7l6lS7+Q2SAbEAjtbPxvD1Fwo+H0nC5dN5JEQT3xEbypc23fyxVmz029SpefJ6ZrDMDrHxN5RLJyvLfaFMzjywelmx17uhG4jKqbgGdpvXSyrxPM8QprDb2/2YAqY0D67L2S4m0iiaFSRmjXTVDlHmOY1d6QEWOfS4J6PcXrgUzTTINsPrMSBzWr2Bb9dIFbp87lvwbJTFTtYc716qVZwQng/YDsCn2hHeuBwGEAdjCeB72N+F2upPHNcNfP82fH+JalL8KpxcFUm9wPbfFJLjrdMdj5kBQkc25hnfWdsqKtLEqck+mfVWZIifEB3Ye/SWPfWhdmd5lIEcM7BR30ynMIGcLo3vcCcYZSdcT0DC5cAf40xy2tkf/xXLwNC4KpUoD8stwbqLQ==', type=>'ssh-rsa', target=>'/etc/ssh/local_keys/robvin' }"
      Notice: Compiled catalog for cusdpupcse02.internal.cnngad.com in environment production in 0.11 seconds
      Notice: /Stage[main]/Main/Ssh_authorized_key[robvin]/ensure: created
      Error: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/local_keys/robvin: Permission denied @ rb_sysopen - /etc/ssh/local_keys/robvin
      Error: /Stage[main]/Main/Ssh_authorized_key[robvin]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /etc/ssh/local_keys/robvin: Permission denied @ rb_sysopen - /etc/ssh/local_keys/robvin
      Notice: Applied catalog in 0.64 seconds
      

      It will add a key to an existing empty file:

      [root@cusdpupcse02 ~]# touch /etc/ssh/local_keys/robvin
      [root@cusdpupcse02 ~]# chown robvin:robvin  /etc/ssh/local_keys/robvin
      [root@cusdpupcse02 ~]# puppet apply -e "ssh_authorized_key { 'robvin': ensure => 'present', name => 'robert.vincent@conning.com', user => 'robvin', key => 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDaiH2dkXP8UPvHnMKcKtmf9bETx8efi1+UrqWJxhjhb5XxneggyquJqvJlsS548qrTHnePFFcuTAuE7aPz3jfLp0RLJ6KRZyTqShyzQvBSecGoEvJoeyF3BrJL/sLVEa92ijG7CLM8dlVkvyicgLkemX6KrYo8neCKYFSPi2xIhGZx5SddUrVwM5arpB2t4Hn9sy6y2FVbraqt9q34133GeCIe6NqhGvtHVGJExemtMtzdOE7NaLbmwK4j5+u9Yip8zB20rF05jdH8IVa0TnZUTuvAxrHgK/y7l6lS7+Q2SAbEAjtbPxvD1Fwo+H0nC5dN5JEQT3xEbypc23fyxVmz029SpefJ6ZrDMDrHxN5RLJyvLfaFMzjywelmx17uhG4jKqbgGdpvXSyrxPM8QprDb2/2YAqY0D67L2S4m0iiaFSRmjXTVDlHmOY1d6QEWOfS4J6PcXrgUzTTINsPrMSBzWr2Bb9dIFbp87lvwbJTFTtYc716qVZwQng/YDsCn2hHeuBwGEAdjCeB72N+F2upPHNcNfP82fH+JalL8KpxcFUm9wPbfFJLjrdMdj5kBQkc25hnfWdsqKtLEqck+mfVWZIifEB3Ye/SWPfWhdmd5lIEcM7BR30ynMIGcLo3vcCcYZSdcT0DC5cAf40xy2tkf/xXLwNC4KpUoD8stwbqLQ==', type=>'ssh-rsa', target=>'/etc/ssh/local_keys/robvin' }"
      Notice: Compiled catalog for cusdpupcse02.internal.cnngad.com in environment production in 0.09 seconds
      Notice: /Stage[main]/Main/Ssh_authorized_key[robvin]/ensure: created
      Notice: Applied catalog in 2.82 seconds
      

      Desired Behavior:

      The ssh_authorized_key resource should create the file, if necessary.

      Actual Behavior:

      The ssh_authorized_key resource fails unless the target file already exists.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  gabriel.nagy Gabriel Nagy
                  Reporter:
                  pillarsdotnet Robert August Vincent II
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support