[MODULES-7614] user resource does not remove duplicate ssh keys in different locations Created: 2018/07/05  Updated: 2018/08/21

Status: Accepted
Project: Modules
Component/s: sshkeys_core
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Normal
Reporter: Gerhardus Geldenhuis Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: ssh, ssh_authorized_key, type_and_provider
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MODULES-7604 ssh_authorized_keys should not use th... Accepted
Template:
Team: Platform OS
QA Risk Assessment: Needs Assessment

 Description   

This might be very obscure but if you specify the following:

user { 'jeff':
 home => '/home/jeff',
 purge_ssh_keys => ['/var/lib/ssh/jeff/authorized_keys','/home/jeff/.ssh/authorized_keys'],
}

And the keys in both locations are identical then only one location's keys will be removed. In my test this has been the last location's keys.

If you run puppet apply two times then both locations keys will be removed. If you alter the keys to have different names then all keys will get removed simultaneously.



 Comments   
Comment by Josh Cooper [ 2018/07/12 ]

The user type generates two resources with the same title:

(byebug) generated.count
2
(byebug) generated.first.ref
"Ssh_authorized_key[user@foo.com]"
(byebug) generated.last.ref
"Ssh_authorized_key[user@foo.com]"

Puppet then adds the generated resources to the catalog. When it adds the second resource, puppet sees that the resource is already present, and is not added a second time.

The problem is that the comment is not actually unique across multiple files where the key may exist. This is a consequence of PUP-2621. Adding this to the ssh keys epic.

Note puppet is able to remove multiple keys if the key does not contain a comment, because puppet will autogenerate one based on the target:

(byebug) generated.count
2
(byebug) generated.first.ref
"Ssh_authorized_key[/var/lib/ssh/jeff/authorized_keys:unnamed-1]"
(byebug) generated.last.ref
"Ssh_authorized_key[/home/jeff/.ssh/authorized_keys:unnamed-1]"
...
Notice: /Stage[main]/Main/Ssh_authorized_key[/var/lib/ssh/jeff/authorized_keys:unnamed-1]/ensure: removed
Notice: /Stage[main]/Main/Ssh_authorized_key[/home/jeff/.ssh/authorized_keys:unnamed-1]/ensure: removed

Generated at Tue Jul 14 04:07:37 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.