[MODULES-7599] ssh_authorized_key key update will fail on CentOS 7.4 Created: 2017/09/14 Updated: 2018/12/05
|Labels:||centos, centos7, permissions, ssh, ssh_authorized_key, type_and_provider|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Link:||ssh_authorized_key Type/Provider Improvements|
|Method Found:||Needs Assessment|
|QA Risk Assessment:||Needs Assessment|
No entry's under /var/log/audit/audit.log
|Comment by Frank [ 2017/09/14 ]|
The problem exits only when /home/foo/.ssh/authorized_keys have only 0400 rights, which is enough for ssh to run.
|Comment by Josh Cooper [ 2018/02/13 ]|
|Comment by Jacob Helwig [ 2018/08/06 ]|
Not a strict duplicate of PUP-3234, but definitely closely related.
|Comment by Scott McClellan [ 2018/08/21 ]|
Branan Riley to add detail and move to Accepted.
|Comment by Branan Riley [ 2018/08/21 ]|
The issue here is that Puppet tries to drop permissions to manage the authorized keys as the specified user, so can't overwrite the `0400` file without changing its perms. We either need to run as root in that case, shuffle the perms, or generate a file securely in temp somewhere that we can then move over the 0400 authorized_keys file.
|Comment by Drew Wyatt [ 2018/12/05 ]|
We have just had a similar issue in that a user we were adding was not getting the authorized_keys file with the permission denied error message, exactly as above. We found that the issue was that one of the users that was evaluated earlier in the sequence had an issue in the .pp file, and none of the users after that worked properly. Once we resolved the typo in the .pp file, all of the user accounts were created as expected. It seems that the puppet agent does not deal with an error in account creation particularly well.
We are running both 4.10.12 and 4.10.11 on the agent side and server version 2.8.0