[MODULES-9726] allow read-only authorized_keys Created: 2019/08/14 Updated: 2019/10/16
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Sprint:||PR - Triage, PR - Triage|
|QA Risk Assessment:||Needs Assessment|
Module Version: N/A
We have a security policy which says SSH `authorized_keys` files should not be writable by users, so that those keys are solely under the control of admins (and therefore Puppet).
Unfortunately, the way the `ssh_authorized_key` type operates now is that it hardcodes the mode (`0600`) of the file and also the owner (whatever the `user` selected). So an operator has two choices, either:
Desired Behavior: It should be possible to have read-only SSH keys.
Actual Behavior: SSH keys are either read/write or unreadable.
|Comment by Antoine [ 2019/08/14 ]|
a workaround is to use a separate `File` resource to change the mode on the generated file. but then it's getting a bit ridiculous the amount of boilerplate one needs to add on top of the `Ssh_authorized_key` resource to make it do the right thing. For example, this is code from a live deployment I have here:
And elsewhere, I need to export the key as well:
That's a lot of code!
Compare this to how this would look with a simple `Concat` resource:
and in the collector:
This seems so much simpler! It reuses a primitive a lot of people know, it will work as expected (ie. it will purge unmanaged entries automatically and have the specified mode) and is much easier to audit than the `ssh_authorized_key` code (which I can barely read).
So I'm really beginning to question the value of this type at all - why do people use this instead of `Concat`? Wouldn't it be easier to rewrite this resource with `Concat` and be done with it? Or is that not proper?