Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3357

Unexpected error with multiple SSH keys without comments


    • Template:
    • Story Points:
    • Sprint:
      Platform 2014-10-15, Platform Client 2014-10-29


      Steps to reproduce:

      1. Enter multple SSH authorized keys for a user without comments (just a key line by line, see example below).
      2. Manage the user with Puppet with the purge_ssh_keys parameter set to true.
      3. Have Puppet agent 3.7.0+
      4. Puppet agent run fails completely with an error. (full denial of service of the agent effectively)

      Expected behaviour: Purging all other SSH keys, with or without comments and a successful Puppet agent run.

      Note: Because of an unprivileged user being able to block Puppet agent runs I consider this more than just a corner case.

      More details:

      Since 3.7.0 (not with 3.6.2), I'm getting an unexpected error on the Puppet agent runs managing the user's SSH authorized keys with purge_ssh_keys enabled. Some users enter multiple keys without comments in the files, e.g.:

      ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/HHDwh6ccmX4BT5rpCEt7Z647v3WwmVCamWfxgUMCegYJliI7BjfAMX0HPdlaCfPd67oWQJaKg9qSNEuHBbKM= 
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYUv24oLUvh8Vr3g0XxocU2AYkc3RTunnrR8ChkWgjru9d3o5O1mdg7dzkQDyiQflHa3XGSbvly9LAxKOQhJtZEHJ6+Sn8iAo5edJR2yE6uX2O9DcYOgaoZO0Rg3PG5JsP3JdrS5lb3jwvsGfPFU+bC5egEypWDnIakLQksvkcldwMuzDVeExm11LakMd2MPig4gaje7HVoP++LVLxqxYUZQTiEGOZwTnysO/CywhGvD5V2n59T+1Hqhz9cgx+l2fdJxuJPXq9a7V+crxxLW22w/LIj70KvdDPh7jyfAzMk+k8tYg/6FbTz6sft2uQ043fCBso8iy2iTIAj8xqBKab

      This results in the following error in 3.7.0+:

      Error: Could not apply complete catalog: Duplicate declaration: Ssh_authorized_key[] is already declared; cannot redeclare

      With the agent downgraded to 3.6.2, it runs, but it does not remove the existing keys properly.

      Notice: /Stage[main]/Localusers/Ssh_authorized_key[key0]/ensure: current_value absent, should be present (noop)
      Notice: /Stage[main]/Localusers/Ssh_authorized_key[key1]/ensure: current_value absent, should be present (noop)
      Notice: /Stage[main]/Localusers/Ssh_authorized_key[key2]/ensure: current_value absent, should be present (noop)

      Back on 3.7.1, it works fine again after editing the user's authorized_keys file and add some comments:

      ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI/HHDwh6ccmX4BT5rpCEt7Z647v3WwmVCamWfxgUMCegYJliI7BjfAMX0HPdlaCfPd67oWQJaKg9qSNEuHBbKM= key0
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYUv24oLUvh8Vr3g0XxocU2AYkc3RTunnrR8ChkWgjru9d3o5O1mdg7dzkQDyiQflHa3XGSbvly9LAxKOQhJtZEHJ6+Sn8iAo5edJR2yE6uX2O9DcYOgaoZO0Rg3PG5JsP3JdrS5lb3jwvsGfPFU+bC5egEypWDnIakLQksvkcldwMuzDVeExm11LakMd2MPig4gaje7HVoP++LVLxqxYUZQTiEGOZwTnysO/CywhGvD5V2n59T+1Hqhz9cgx+l2fdJxuJPXq9a7V+crxxLW22w/LIj70KvdDPh7jyfAzMk+k8tYg/6FbTz6sft2uQ043fCBso8iy2iTIAj8xqBKab key1

      Notice: /Stage[main]/Localusers/Ssh_authorized_key[key0]/ensure: current_value present, should be absent (noop)
      Notice: /Stage[main]/Localusers/Ssh_authorized_key[key1]/ensure: current_value present, should be absent (noop)


          Issue Links



              • Assignee:
                gertvdijk Gert van Dijk
                QA Contact:
                Eric Thompson
              • Votes:
                0 Vote for this issue
                7 Start watching this issue


                • Created:

                  Zendesk Support