[MODULES-7599] ssh_authorized_key key update will fail on CentOS 7.4 Created: 2017/09/14  Updated: 2018/12/05

Status: Accepted
Project: Modules
Component/s: sshkeys_core
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Frank Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: centos, centos7, permissions, ssh, ssh_authorized_key, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

CentOS 7.4


Issue Links:
Relates
relates to MODULES-7606 ssh_authorized_keys updating user => ... Needs Information
Template:
Epic Link: ssh_authorized_key Type/Provider Improvements
Team: Platform OS
Method Found: Needs Assessment
QA Risk Assessment: Needs Assessment

 Description   

Notice: /Stage[main]/Ssh_user/Ssh_user::foo_settings[foo-srvadm]/Ssh_authorized_key[foo-srvadm_rsa]/ensure: created
Debug: Flushing ssh_authorized_key provider target /home/foo-srvadm/.ssh/authorized_keys
Error: Puppet::Util::FileType::FileTypeFlat could not write /home/foo-srvadm/.ssh/authorized_keys: Permission denied @ rb_sysopen - /home/foo-srvadm/.ssh/authorized_keys
Error: /Stage[main]/Ssh_user/Ssh_user::foo_settings[foo-srvadm]/Ssh_authorized_key[foo-srvadm_rsa]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /home/foo-srvadm/.ssh/authorized_keys: Permission denied @ rb_sysopen - /home/foo-srvadm/.ssh/authorized_keys
Notice: /Stage[main]/Ssh_user/Ssh_user::foo_settings[foo-srvadm]/Ssh_authorized_key[foo-srvadm_ed25519]/ensure: created
Debug: Flushing ssh_authorized_key provider target /home/foo-srvadm/.ssh/authorized_keys
Error: Puppet::Util::FileType::FileTypeFlat could not write /home/foo-srvadm/.ssh/authorized_keys: Permission denied @ rb_sysopen - /home/foo-srvadm/.ssh/authorized_keys
Error: /Stage[main]/Ssh_user/Ssh_user::foo_settings[foo-srvadm]/Ssh_authorized_key[foo-srvadm_ed25519]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /home/foo-srvadm/.ssh/authorized_keys: Permission denied @ rb_sysopen - /home/foo-srvadm/.ssh/authorized_keys

No entry's under /var/log/audit/audit.log



 Comments   
Comment by Frank [ 2017/09/14 ]

The problem exits only when /home/foo/.ssh/authorized_keys have only 0400 rights, which is enough for ssh to run.

Comment by Josh Cooper [ 2018/02/13 ]

Frank Is this a dup of PUP-3234?

Comment by Jacob Helwig [ 2018/08/06 ]

Not a strict duplicate of PUP-3234, but definitely closely related.

Comment by Scott McClellan [ 2018/08/21 ]

Branan Riley to add detail and move to Accepted.

Comment by Branan Riley [ 2018/08/21 ]

The issue here is that Puppet tries to drop permissions to manage the authorized keys as the specified user, so can't overwrite the `0400` file without changing its perms. We either need to run as root in that case, shuffle the perms, or generate a file securely in temp somewhere that we can then move over the 0400 authorized_keys file.

Comment by Drew Wyatt [ 2018/12/05 ]

We have just had a similar issue in that a user we were adding was not getting the authorized_keys file with the permission denied error message, exactly as above. We found that the issue was that one of the users that was evaluated earlier in the sequence had an issue in the .pp file, and none of the users after that worked properly.  Once we resolved the typo in the .pp file, all of the user accounts were created as expected.  It seems that the puppet agent does not deal with an error in account creation particularly well.  

 

We are running both 4.10.12 and 4.10.11 on the agent side and server version 2.8.0

Generated at Tue Jul 14 20:06:26 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.