Details

    • Type: New Feature
    • Status: Accepted
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: sshkeys_core
    • Labels:
      None
    • Template:
    • Team:
      Night's Watch
    • Sprint:
      PR - Triage, PR - Triage
    • QA Risk Assessment:
      Needs Assessment

      Description

      Module Version: N/A
      Puppet Version: Puppet 4.8.2
      OS Name/Version: Debian stretch

      We have a security policy which says SSH `authorized_keys` files should not be writable by users, so that those keys are solely under the control of admins (and therefore Puppet).

      Unfortunately, the way the `ssh_authorized_key` type operates now is that it hardcodes the mode (`0600`) of the file and also the owner (whatever the `user` selected). So an operator has two choices, either:

      • make the file owned by the user, in which case authentication works but the keys are modifiable by the user, or;
      • make the file owned by `root`, in which case the file is not writable by the user but authentication then fails because it's not readable either

      Desired Behavior: It should be possible to have read-only SSH keys.

      Actual Behavior: SSH keys are either read/write or unreadable.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              anarcat Antoine
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Zendesk Support