[MODULES-7606] ssh_authorized_keys updating user => ... fails with Permission denied on previous user's .ssh/authorized_keys Created: 2014/09/11  Updated: 2018/08/21

Status: Needs Information
Project: Modules
Component/s: sshkeys_core
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Normal
Reporter: Tero Marttila Assignee: Branan Riley
Resolution: Unresolved Votes: 6
Labels: permissions, ssh, ssh_authorized_key, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Ubuntu 14.04
puppetmaster-passenger 3.6.2-1puppetlabs1
puppet agent 3.4.3-1

Issue Links:
is duplicated by PUP-4401 ssh_key purge on a authorized_key fil... Closed
relates to MODULES-7599 ssh_authorized_key key update will fa... Accepted
Team: Platform OS
QA Contact: Eric Thompson


Changing the user for an ssh_authorized_key resource:

    ssh_authorized_key { "admin::sshkey:$name":
        ensure => present,
        key    => $sshkey,
        type   => $type,
        user   => $user,

Leads to a Permission Denied error writing to the ~/.ssh/authorized_keys file of the previous user:

Notice: /Stage[main]/Admins/Admin[foo]/Admin::Sshkey[...]/Ssh_authorized_key[admin::sshkey:...]/user: user changed 'bar' to 'foo'
Notice: /Stage[main]/Admins/Admin[foo]/Admin::Sshkey[...]/Ssh_authorized_key[admin::sshkey:...]/target: target changed '/home/bar/.ssh/authorized_keys' to '/home/foo/.ssh/authorized_keys'
Error: Puppet::Util::FileType::FileTypeFlat could not write /home/bar/.ssh/authorized_keys: Permission denied - /home/bar/.ssh/authorized_keys
Error: /Stage[main]/Admins/Admin[foo]/Admin::Sshkey[...]/Ssh_authorized_key[admin::sshkey:...]: Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write /home/bar/.ssh/authorized_keys: Permission denied - /home/bar/.ssh/authorized_keys

The key for the new user is not written to ~foo/.ssh/authorized_keys, nor is the key removed from the old user's ~bar/.ssh/authorized_keys.

Comment by Thomas Kishel [ 2017/04/03 ]

This issue is the result of this PR:


"Drop privileges before creating and chmodding SSH keys. Previously, potentially abusable chown and chmod calls were performed as root. This tries to moves as much as possible into code which is run after privileges have been dropped. Huge thanks to Ricky Zhou <ricky@fedoraproject.org> for discovering this and supplying the security fix. Awesome work. Fixes CVE-2011-3870."

The error occurs within the `super` call here:


To reproduce:

node test {
  user { 'test':
    ensure => present,
    gid => 'users',
    managehome => true,
    password => '!!',
    home => "/home/test",
    forcelocal => true,
    purge_ssh_keys => true,
  ssh_authorized_key { 'test@home':
    user => 'test',
    type => 'ssh-rsa',
    key => 'ABC123',

puppet agent -t
chown root:root /home/test/.ssh/authorized_keys
puppet agent -t

Results in:

Error: Puppet::Util::FileType::FileTypeFlat could not write /home/test/.ssh/authorized_keys: Permission denied @ rb_sysopen - /home/test/.ssh/authorized_keys

In one user's case, the authorized_keys file was created but kept its root:root ownership due to another (permissions on /tmp) error:

Error: Puppet::Util::FileType::FileTypeFlat could not write /home/test/.ssh/authorized_keys: could not find a temporary directory

Environment: OS: RHEL 7.3 / PE: 2016.4.x

Comment by Scott McClellan [ 2018/08/21 ]

Branan Riley to add some detail to what the desired behavior is and mark as Accepted.

Generated at Sun Feb 16 17:25:29 PST 2020 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.