Antidot SAS
2012-Mar-14 14:17 UTC
[Puppet Users] [ssh_authorized_key] target definition bug?
Hi everyone,
I am using puppet 2.7.9 on debian linux setup with gem.
I am trying to setup the define as followed:
----------------------
define user::environment::create_authorized_key ( $dst_user = undef,
$local_file = "/var/lib/keys/${name}", $home = undef, $options = undef
) {
# --[ default parameter given ]--
$src_user_real = "${name}"
$key_src_file = "${local_file}/key.pub"
$key_src_content = file($key_src_file, "/dev/null")
File {
owner => "${dst_user_real}",
group => "${dst_user_real}",
mode => ''0440'',
}
if ! $dst_user {
$dst_user_real = "${src_user_real}"
}
if $home {
$key_tgt_file = "${home}/.ssh/authorized_keys"
} else {
$key_tgt_file = undef
}
if "${dst_user_real}" == ''root'' {
case $home {
undef : { $authorized_keys =
''/root/.ssh/authorized_keys'' }
default : { $authorized_keys = "${key_tgt_file}" }
}
} else {
case $home {
undef : { $authorized_keys
"/home/${dst_user_real}/.ssh/authorized_keys" }
default : { $authorized_keys = "${key_tgt_file}" }
}
}
if ! $key_src_content {
notify { "Public key file $key_src_file for key $title not found on
keymaster; skipping ensure => present": }
} else {
if $key_src_content !~ /^(ssh-...) ([^ ]*)/ {
err("Can''t parse public key file $key_src_file")
notify { "Can''t parse public key file $key_src_file
for key
$title on the keymaster: skipping ensure => $ensure": }
} else {
$keytype = $1
$modulus = $2
ssh_authorized_key { "SSH keys: ${src_user_real} -->
${dst_user_real}":
ensure => present,
user => "${dst_user_real}",
target => $key_tgt_file,
type => "${keytype}",
key => "${modulus}",
name => "\"src:${src_user_real} -->
dst:${dst_user_real}\"",
options => $options,
notify => [ Exec["Setting \$HOME rights for
${dst_user_real}"], ],
}
exec { "Forcing ${authorized_keys} rights" :
path =>
''/bin:/usr/bin:/usr/local/bin'',
user => ''root'',
logoutput => true,
command => "[ -f \"${authorized_keys}\" ]
&& chown
${dst_user_real}:${dst_user_real} \"${authorized_keys}\"",
refreshonly => true,
}
Exec["Forcing ${authorized_keys} rights"] ->
Ssh_authorized_key["SSH keys: ${src_user_real} -->
${dst_user_real}"]
}
}
}
------------------------------
When I run this define on my nodes I have to following behavior for several
users:
notice:
/Stage[main]/Base_common_user/User::Ssh::Key[apt-dater]/Ssh_auth_key_server[apt-dater]/Ssh_authorized_key[apt-dater]/ensure:
created
info: FileBucket got a duplicate file {md5}8db5d5c65e547d3971d93dfa0ffcea32
err:
/Stage[main]/Base_common_user/User::Ssh::Key[apt-dater]/Ssh_auth_key_server[apt-dater]/Ssh_authorized_key[apt-dater]:
Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write
/home/test/.ssh/authorized_keys: Permission denied -
/home/test/.ssh/authorized_keys
Puppet is trying to put the authorized_keys under the wrong ${HOME}:
root@linux-install:/# getent passwd apt-dater
apt-dater:x:9000:9000:Outil de dist-upgrade:/home/apt-dater:/bin/bash
root@linux-install:/# ls -al /home/apt-dater/.ssh/
total 12
drwxr-x--- 2 apt-dater apt-dater 4096 Mar 14 14:25 .
drwxr-xr-x 3 apt-dater apt-dater 4096 Mar 14 14:25 ..
-rw-r----- 1 apt-dater apt-dater 1380 Mar 14 14:36 authorized_keys
Any idea what could be the problem?
Regards,
JM
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Antidot SAS
2012-Mar-14 15:13 UTC
[Puppet Users] Re: [ssh_authorized_key] target definition bug?
After a little bit of digging it seems that the error is due to rights of ''/home/user/.ssh''. In fact puppet tries to create those with the following rights: drwxr-xr-x 2 test test 4096 Mar 14 15:51 /home/test drwx------ 2 test root 4096 Mar 14 15:51 /home/test/.ssh When I change the rights to: drwxr-x--- 2 test root 4096 Mar 14 15:51 /home/test/.ssh puppet completes is job, I found a similar bug: http://projects.puppetlabs.com/issues/5395 but it seems to be closed. Any thoughts? Regards, JM On Wed, Mar 14, 2012 at 3:17 PM, Antidot SAS <antidotsas@gmail.com> wrote:> Hi everyone, > > > I am using puppet 2.7.9 on debian linux setup with gem. > I am trying to setup the define as followed: > > ---------------------- > define user::environment::create_authorized_key ( $dst_user = undef, > $local_file = "/var/lib/keys/${name}", $home = undef, $options = undef ) { > # --[ default parameter given ]-- > $src_user_real = "${name}" > $key_src_file = "${local_file}/key.pub" > $key_src_content = file($key_src_file, "/dev/null") > > File { > owner => "${dst_user_real}", > group => "${dst_user_real}", > mode => ''0440'', > } > > if ! $dst_user { > $dst_user_real = "${src_user_real}" > } > > if $home { > $key_tgt_file = "${home}/.ssh/authorized_keys" > } else { > $key_tgt_file = undef > } > if "${dst_user_real}" == ''root'' { > case $home { > undef : { $authorized_keys = ''/root/.ssh/authorized_keys'' } > default : { $authorized_keys = "${key_tgt_file}" } > } > } else { > case $home { > undef : { $authorized_keys > "/home/${dst_user_real}/.ssh/authorized_keys" } > default : { $authorized_keys = "${key_tgt_file}" } > } > } > > if ! $key_src_content { > notify { "Public key file $key_src_file for key $title not found > on keymaster; skipping ensure => present": } > } else { > if $key_src_content !~ /^(ssh-...) ([^ ]*)/ { > err("Can''t parse public key file $key_src_file") > notify { "Can''t parse public key file $key_src_file for key > $title on the keymaster: skipping ensure => $ensure": } > } else { > $keytype = $1 > $modulus = $2 > ssh_authorized_key { "SSH keys: ${src_user_real} --> > ${dst_user_real}": > ensure => present, > user => "${dst_user_real}", > target => $key_tgt_file, > type => "${keytype}", > key => "${modulus}", > name => "\"src:${src_user_real} --> > dst:${dst_user_real}\"", > options => $options, > notify => [ Exec["Setting \$HOME rights for > ${dst_user_real}"], ], > } > > exec { "Forcing ${authorized_keys} rights" : > path => ''/bin:/usr/bin:/usr/local/bin'', > user => ''root'', > logoutput => true, > command => "[ -f \"${authorized_keys}\" ] && chown > ${dst_user_real}:${dst_user_real} \"${authorized_keys}\"", > refreshonly => true, > } > > Exec["Forcing ${authorized_keys} rights"] -> > Ssh_authorized_key["SSH keys: ${src_user_real} --> ${dst_user_real}"] > } > } > } > > ------------------------------ > When I run this define on my nodes I have to following behavior for > several users: > notice: > /Stage[main]/Base_common_user/User::Ssh::Key[apt-dater]/Ssh_auth_key_server[apt-dater]/Ssh_authorized_key[apt-dater]/ensure: > created > info: FileBucket got a duplicate file {md5}8db5d5c65e547d3971d93dfa0ffcea32 > err: > /Stage[main]/Base_common_user/User::Ssh::Key[apt-dater]/Ssh_auth_key_server[apt-dater]/Ssh_authorized_key[apt-dater]: > Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write > /home/test/.ssh/authorized_keys: Permission denied - > /home/test/.ssh/authorized_keys > > > Puppet is trying to put the authorized_keys under the wrong ${HOME}: > root@linux-install:/# getent passwd apt-dater > apt-dater:x:9000:9000:Outil de dist-upgrade:/home/apt-dater:/bin/bash > root@linux-install:/# ls -al /home/apt-dater/.ssh/ > total 12 > drwxr-x--- 2 apt-dater apt-dater 4096 Mar 14 14:25 . > drwxr-xr-x 3 apt-dater apt-dater 4096 Mar 14 14:25 .. > -rw-r----- 1 apt-dater apt-dater 1380 Mar 14 14:36 authorized_keys > > > Any idea what could be the problem? > > > Regards, > JM > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mar 14, 10:13 am, Antidot SAS <antidot...@gmail.com> wrote:> After a little bit of digging it seems that the error is due to rights of > ''/home/user/.ssh''. > > In fact puppet tries to create those with the following rights: > drwxr-xr-x 2 test test 4096 Mar 14 15:51 /home/test > drwx------ 2 test root 4096 Mar 14 15:51 /home/test/.ssh > > When I change the rights to: > drwxr-x--- 2 test root 4096 Mar 14 15:51 /home/test/.ssh > > puppet completes is job, I found a similar bug:http://projects.puppetlabs.com/issues/5395but it seems to be closed. > > Any thoughts?Yes: something is wrong with the way you are running Puppet. To be effective, the agent needs to run as root, or else as an equally- privileged user. Additional requirements apply where clients run SELinux in enforcing mode. If the agent process had the right privilges then directory ownership and permissions would not interfere with its operation. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, My puppet agent was running as root, anyway to bypass this issue I just have to create a File ressource for .ssh/authorized with the user''s uid and user''s gid. And now no problem. Thx. On Thu, Mar 15, 2012 at 2:01 PM, jcbollinger <John.Bollinger@stjude.org>wrote:> > > On Mar 14, 10:13 am, Antidot SAS <antidot...@gmail.com> wrote: > > After a little bit of digging it seems that the error is due to rights of > > ''/home/user/.ssh''. > > > > In fact puppet tries to create those with the following rights: > > drwxr-xr-x 2 test test 4096 Mar 14 15:51 /home/test > > drwx------ 2 test root 4096 Mar 14 15:51 /home/test/.ssh > > > > When I change the rights to: > > drwxr-x--- 2 test root 4096 Mar 14 15:51 /home/test/.ssh > > > > puppet completes is job, I found a similar bug: > http://projects.puppetlabs.com/issues/5395but it seems to be closed. > > > > Any thoughts? > > > Yes: something is wrong with the way you are running Puppet. To be > effective, the agent needs to run as root, or else as an equally- > privileged user. Additional requirements apply where clients run > SELinux in enforcing mode. If the agent process had the right > privilges then directory ownership and permissions would not interfere > with its operation. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.