Yanis Guenane
2012-Dec-01 17:58 UTC
[Puppet Users] /etc/ssh/ssh_known_hosts not world readable when using sshkey resource
When I apply a sshkey resource I do obtain the /etc/ssh/ssh_known_hosts file, but it is not world reable. According to the ssh man page, /etc/ssh/ssh_known_hosts> Systemwide list of known host keys. This file should be > prepared by the system administrator to contain the public host keys of all > machines in the organization. It should be world-readable. See sshd(8) > for further details of the format of this file. >Is there any specific reason why when Puppet generates it it is only user (root) Readable and Writable ? Security maybe ? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/N-gOMHACQlQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stefan Schulte
2012-Dec-02 23:31 UTC
Re: [Puppet Users] /etc/ssh/ssh_known_hosts not world readable when using sshkey resource
On Sat, Dec 01, 2012 at 09:58:43AM -0800, Yanis Guenane wrote:> When I apply a sshkey resource I do obtain the /etc/ssh/ssh_known_hosts > file, but it is not world reable. > > According to the ssh man page, > > /etc/ssh/ssh_known_hosts > > Systemwide list of known host keys. This file should be > > prepared by the system administrator to contain the public host keys of all > > machines in the organization. It should be world-readable. See sshd(8) > > for further details of the format of this file. > > > > Is there any specific reason why when Puppet generates it it is only user > (root) Readable and Writable ? Security maybe ? >No it is a bug http://projects.puppetlabs.com/issues/2014 that happens when the file was not present before and the sshkey provider needs to create it first. You can use a file resource to actually set the correct permissions, like file { ''/etc/ssh/ssh_known_hosts'': ensure => file, owner => ''root'', group => ''root'', mode => ''0644'', } Now the owner/group/mode are controlled with your file resource while the actual content is controlled by your sshkey resources. -Stefan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Yanis Guenane
2012-Dec-03 06:57 UTC
Re: [Puppet Users] /etc/ssh/ssh_known_hosts not world readable when using sshkey resource
Thank you for your answer and the link to the current issue, The solution you offered is what I am currently doing, Thanks again, On Monday, December 3, 2012 12:31:45 AM UTC+1, Stefan Schulte wrote:> > On Sat, Dec 01, 2012 at 09:58:43AM -0800, Yanis Guenane wrote: > > When I apply a sshkey resource I do obtain the /etc/ssh/ssh_known_hosts > > file, but it is not world reable. > > > > According to the ssh man page, > > > > /etc/ssh/ssh_known_hosts > > > Systemwide list of known host keys. This file should be > > > prepared by the system administrator to contain the public host keys > of all > > > machines in the organization. It should be world-readable. See > sshd(8) > > > for further details of the format of this file. > > > > > > > Is there any specific reason why when Puppet generates it it is only > user > > (root) Readable and Writable ? Security maybe ? > > > > No it is a bug http://projects.puppetlabs.com/issues/2014 that happens > when the file was not present before and the sshkey provider needs to > create it first. > > You can use a file resource to actually set the correct permissions, > like > > file { ''/etc/ssh/ssh_known_hosts'': > ensure => file, > owner => ''root'', > group => ''root'', > mode => ''0644'', > } > > Now the owner/group/mode are controlled with your file resource while > the actual content is controlled by your sshkey resources. > > -Stefan >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/O87Np-m-1lkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.