Puppet users - May 2007 - Odd ssh authorized_keys problem

Hi all,

I''ve just implemented a [crude] manifest to apply a set authorized_keys
file to the root account of a puppet client.

class rootssh_test {
     file { "/root/.ssh/authorized_keys":
     owner => root, group => root, mode => 0600,
     content => template("rootssh_test")
     }
}

The template has two ssh id_rsa lines in.

When the client applies the template though, each line is losing a single 
character, at a regular interval, in the key. The character is random, and 
turns into a space. So I end up with keys with a couple of extra spaces 
in!

Template: (not full key)
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4AqVmGxmOfdz

Applied file:
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4qVmGxm
fdz

puppet client is 0.22.4 (blastwave.org/testing) running on Solaris 10. 
puppetmaster is 0.22.4 running on RHEL4.

Anyone got a clue what''s happening here please?

Cheers,

--Mark

On 5/23/07 4:15 AM, "Mark Phillips" <mark@probably.co.uk> wrote:
> Hi all,
> 
> I''ve just implemented a [crude] manifest to apply a set
authorized_keys
> file to the root account of a puppet client.
> 
> class rootssh_test {
>      file { "/root/.ssh/authorized_keys":
>      owner => root, group => root, mode => 0600,
>      content => template("rootssh_test")
>      }
> }
> 
> The template has two ssh id_rsa lines in.
> 
> When the client applies the template though, each line is losing a single
> character, at a regular interval, in the key. The character is random, and
> turns into a space. So I end up with keys with a couple of extra spaces
> in!
> 
> Template: (not full key)
> ssh-rsa 
>
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4AqVmG
> xmOfdz
> 
> Applied file:
> ssh-rsa 
>
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4qVmGx
> m fdz
> 
> puppet client is 0.22.4 (blastwave.org/testing) running on Solaris 10.
> puppetmaster is 0.22.4 running on RHEL4.
> 
> Anyone got a clue what''s happening here please?
That''s odd indeed.  I do something similar here but I have puppet pull
from
the puppetmaster:

  files {
    "/root/.ssh/authorized_keys":
      mode => 0400,
      owner => root,
      group => root,
      source => "puppet://$servername/files/base/authorized_keys";
  }

And that transfers files correctly every time.  Does that method work for
you?

Cheers,
Ryan

On Wed, 23 May 2007, Ryan Dooley wrote:
>> Template: (not full key)
>> ssh-rsa
>>
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4AqVmG
>> xmOfdz
>>
>> Applied file:
>> ssh-rsa
>>
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4qVmGx
>> m fdz
>>
> That''s odd indeed.  I do something similar here but I have puppet
pull from
> the puppetmaster:
[snip]
> And that transfers files correctly every time.  Does that method work for
> you?
Hi Ryan,

I''ve not tried that method, and it may well work. I''ll have a
try in a
moment.

Some more info on this though.

I''ve been testing with a Linux machine too. What I''ve now done
is a
template file and a define...

template:

<% keys.each do |val| -%>
<%= val.chomp %>
<% end -%>

class & define:

class engssh {
     $rootkey = template("root_rsa.pub")
     $mykey = template("me_rsa.pub")

     $authkeys = $macaddress ? {
         "0:3:ba:12:12:12" => [ $rootkey, $mykey ],
         "00:0C:29:13:13:13" => [ $rootkey ]
     }

     authkeys { dokeys:
         keys => $authkeys
     }
}

define authkeys($keys) {
     file { "/root/.ssh":
         ensure => directory,
         owner => root,
         group => root,
         mode => 0700
     }

     file { "/root/.ssh/authorized_keys":
         owner => root,
         group => root,
         mode => 0600,
         content => template(rootssh_test),
         require => File["/root/.ssh"]
     }
}

So, the Linux machine gets one key. The Sun machine gets two keys. The Sun 
machine has the split key problem - where exactly the 80th character gets 
replaced with a space. The Linux machine doesn''t have the issue with
one
key. If I change the Linux box so it receives both keys, suddenly the 80th 
character gets replaced! Of course, for completeness, I''ve also tried
the
Sun box with one key. It behaves the same as the Linux machine and does 
NOT replace the 80th character with a space.

How weird is this?!

Any more input folks would be greatly appreciated. I can try another 
method, but I''m keen to get to the bottom of this, if only because
it''s so
odd :)

Cheers,

--Mark

>
> class engssh {
>      $rootkey = template("root_rsa.pub")
>      $mykey = template("me_rsa.pub")
>   
Just a thought here - template will try to run root_rsa.pub through the
erb interpreter. Is there any particular reason you''re using a template
and not ''source'' on the file?

On 23 May 2007, at 22:16, Daniel Lawson wrote:
>> class engssh {
>>      $rootkey = template("root_rsa.pub")
>>      $mykey = template("me_rsa.pub")
>
> Just a thought here - template will try to run root_rsa.pub through  
> the
> erb interpreter. Is there any particular reason you''re using a  
> template
> and not ''source'' on the file?
Inexperience? :-)

TBH I''m just getting into puppet Daniel, so it''s probably just
poor
choice on my behalf. I can''t seem to find the documentation relating  
to source on the website - there''s references to it in the  
TypeReference topic but I''m not sure I get the syntax there. Does  
''source'' imply pulling the file from the puppet server over  
puppet://... ?

Cheers,

--Mark

On 24/05/07, Mark Phillips <mark@probably.co.uk>
wrote:
> On 23 May 2007, at 22:16, Daniel Lawson wrote:
>
> >> class engssh {
> >>      $rootkey = template("root_rsa.pub")
> >>      $mykey = template("me_rsa.pub")
> >
> > Just a thought here - template will try to run root_rsa.pub through
> > the
> > erb interpreter. Is there any particular reason you''re using
a
> > template
> > and not ''source'' on the file?
>
> Inexperience? :-)
>
> TBH I''m just getting into puppet Daniel, so it''s probably
just poor
> choice on my behalf. I can''t seem to find the documentation
relating
> to source on the website - there''s references to it in the
> TypeReference topic but I''m not sure I get the syntax there. Does
> ''source'' imply pulling the file from the puppet server
over
> puppet://... ?
>
> Cheers,
>
> --Mark
>
Yes, that''s exactly what it implies. Although you can also designate
another file on the local client as a source (just with ''source =>
"/etc/xxx/filename"'').

For the puppet:// thing to work you need to setup your puppetmaster to
serve files using the fileserver.conf file, see:
http://reductivelabs.com/trac/puppet/wiki/FileServingConfiguration


And here''s a verbatim copy of a mail by Digant C Kasundra to this list
from a while back, showing how you can create a define that supplies a
number of defaults for most file downloads from the
puppetmaster:
>___________________________________
	 17-Mar
 I recently update my remotefile definitions (others might have already done
 so or have been using a better one than mine).  I added an ensure parameter
 so I could do overrides using remotefile rather than the underlying file:

 define remotefile($owner = root, $ignore = ".svn", $group = root,
$mode  644, $source, $backup = false, $recurse = false, $ensure = file) {

    $realsource = $hostname ? {
        "henson" => "/var/lib/puppet/dist/$source",
        default => "puppet://puppet.stanford.edu/dist/$source"
    }

    file {
        $name:
            mode => $mode,
            owner => $owner,
           group => $group,
           backup => $backup,
           recurse => $recurse,
           ignore => ".svn",
           source => $realsource,
           ensure => $ensure
   }
}
>-----------------------------------------------------
Gr,
Thijs

On May 23, 2007, at 4:16 PM, Daniel Lawson wrote:
>
>>
>> class engssh {
>>      $rootkey = template("root_rsa.pub")
>>      $mykey = template("me_rsa.pub")
>>
>
> Just a thought here - template will try to run root_rsa.pub through  
> the
> erb interpreter. Is there any particular reason you''re using a  
> template
> and not ''source'' on the file?
Using ''source'' won''t work in this case --
he''s calling template() on
the server with the keys as values, so he needs to retrieve the keys  
on the server.

Your basic sentiment is right, though -- file() should be used  
instead of template(); it was introduced in 0.22.3, I believe.  That  
skips all interpretation by the template engine.

  --
  Hoare''s Law of Large Problems:
     Inside every large problem is a small problem struggling to get  
out.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On Thu, 24 May 2007 Luke Kanies said:
>>> class engssh {
>>>      $rootkey = template("root_rsa.pub")
>>>      $mykey = template("me_rsa.pub")
OK, so I swapped these pair to be just plain old variables. The SSH key
now lives in the variable, a la...

$rootkey = "ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAtSf8R9ke3T+gnDjnmlXW/M91k8JCLg4Ej+Ubjfjb1/aO4qVmGxmOfdzdE1DE5DwViJTvOfzvqfSwD72RKhSQu0xHhXiIpi6/DlZUtL/8BWyWLlt6aW/8isccy7znQiak57/sXT0tL/iSrPETLJhmMrwSo0TOxO8qNOwbZbZMrQ00
root@host"

and the $mykey variable is defined the same.

Guess what? Same behaviour. Implement one of the keys, and it''s fine.
Implement two, and the 80th character is replaced with a space.

Now, I''m guessing it''s the running through erb bit later on
that''s to
fault, as the authorized_keys file is still built with a template.

     file { "/root/.ssh/authorized_keys":
         owner => root,
         group => root,
         mode => 0600,
         content => template(rootssh_test),
         require => File["/root/.ssh"]
     }

rootssh_test template...

<% keys.each do |val| -%>
<%= val.chomp %>
<% end -%>
> Your basic sentiment is right, though -- file() should be used
> instead of template(); it was introduced in 0.22.3, I believe.  That
> skips all interpretation by the template engine.
But if I want to build the authorized_keys file up from one, or more,
keys (defined/gather elsewhere) I still need to use a template, right?

Cheers folks!

--Mark

On May 24, 2007, at 11:42 AM, Mark Phillips wrote:
> [...]
> Guess what? Same behaviour. Implement one of the keys, and it''s
fine.
> Implement two, and the 80th character is replaced with a space.
I just tested this with my own keys and I can''t reproduce the problem:

$key1 = file("/Users/luke/.ssh/authorized_keys2")
$key2 = file("/Users/luke/.ssh/authorized_keys2")
$keys = [$key1, $key2]

file { "/tmp/testing": content => template("test.erb") }

I get two copies of the key, neither with a space in the key (other  
than where they''re supposed to be).

> Now, I''m guessing it''s the running through erb bit later
on that''s to
> fault, as the authorized_keys file is still built with a template.
>
>      file { "/root/.ssh/authorized_keys":
>          owner => root,
>          group => root,
>          mode => 0600,
>          content => template(rootssh_test),
>          require => File["/root/.ssh"]
>      }
>
> rootssh_test template...
>
> <% keys.each do |val| -%>
> <%= val.chomp %>
> <% end -%>
By the way, this would probably be better done with a generate()  
script -- just write a script that creates an authorized keys file  
given a list of users (I''d sort the user or key list, so the results  
were consistent regardless of the order of the users):

$keys = [one, two, three]
file { "/tmp/testing": content =>
generate("/Users/luke/bin/test.sh",
$keys) }

Clearly that doesn''t actually solve the problem, but my guess is that  
it''s an ERB problem, so it''ll have to worked around there.
>> Your basic sentiment is right, though -- file() should be used
>> instead of template(); it was introduced in 0.22.3, I believe.  That
>> skips all interpretation by the template engine.
>
> But if I want to build the authorized_keys file up from one, or more,
> keys (defined/gather elsewhere) I still need to use a template, right?
Yeah; I just meant to use ''file'' for getting the individual
files
from disk.  Still use a template for joining them.

  --
  A person''s maturity consists in having found again the seriousness
one
  had as a child, at play.                        --Friedrich Nietzsche
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

I don''t think it''s ERB at all.

I''m running into something that sounds basically the same (spaces  
where they shouldn''t be), but using a generate.

It seems to be somehow related to lines and their length.

When I try calling this script in a generate and use it as the  
content, the B turns into a space:

#!/bin/sh
echo ''#''
echo ssh-dss  
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 
AAAAAAABA

A much longer second echo with no first echo works fine.

changing the "B" to any other character still gets it turned into a  
space.

Even longer lines get more spaces.

Multiple puppetd runs only get a notice about the content changing  
once, so I suspect the problem is in puppetmasterd, not puppetd.

Should I file a bug in Trac?

On May 24, 2007, at 12:37 PM, Luke Kanies wrote:
> On May 24, 2007, at 11:42 AM, Mark Phillips wrote:
>> [...]
>> Guess what? Same behaviour. Implement one of the keys, and
it''s fine.
>> Implement two, and the 80th character is replaced with a space.
>
> I just tested this with my own keys and I can''t reproduce the
problem:
>
> $key1 = file("/Users/luke/.ssh/authorized_keys2")
> $key2 = file("/Users/luke/.ssh/authorized_keys2")
> $keys = [$key1, $key2]
>
> file { "/tmp/testing": content =>
template("test.erb") }
>
> I get two copies of the key, neither with a space in the key (other
> than where they''re supposed to be).
>
>
>> Now, I''m guessing it''s the running through erb bit
later on that''s to
>> fault, as the authorized_keys file is still built with a template.
>>
>>      file { "/root/.ssh/authorized_keys":
>>          owner => root,
>>          group => root,
>>          mode => 0600,
>>          content => template(rootssh_test),
>>          require => File["/root/.ssh"]
>>      }
>>
>> rootssh_test template...
>>
>> <% keys.each do |val| -%>
>> <%= val.chomp %>
>> <% end -%>
>
> By the way, this would probably be better done with a generate()
> script -- just write a script that creates an authorized keys file
> given a list of users (I''d sort the user or key list, so the
results
> were consistent regardless of the order of the users):
>
> $keys = [one, two, three]
> file { "/tmp/testing": content =>
generate("/Users/luke/bin/test.sh",
> $keys) }
>
> Clearly that doesn''t actually solve the problem, but my guess is
that
> it''s an ERB problem, so it''ll have to worked around
there.
>
>>> Your basic sentiment is right, though -- file() should be used
>>> instead of template(); it was introduced in 0.22.3, I believe. 
That
>>> skips all interpretation by the template engine.
>>
>> But if I want to build the authorized_keys file up from one, or more,
>> keys (defined/gather elsewhere) I still need to use a template,  
>> right?
>
> Yeah; I just meant to use ''file'' for getting the
individual files
> from disk.  Still use a template for joining them.
>
>   --
>   A person''s maturity consists in having found again the  
> seriousness one
>   had as a child, at play.                        --Friedrich  
> Nietzsche
>    
> ---------------------------------------------------------------------
>   Luke Kanies | http://reductivelabs.com | http://madstop.com
>
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>
-- 
Eric Eisenhart <eric.eisenhart@sonoma.edu>
Office: Schulz 1036, (707) 664-3099
XMPP: eisenhae@jabber.sonoma.edu
AIM: ericeisenhart
Sonoma State University, IT
Lead Linux/Unix System Administrator

On Jun 8, 2007, at 1:07 PM, Eric Eisenhart wrote:
> I don''t think it''s ERB at all.
>
> I''m running into something that sounds basically the same (spaces
> where they shouldn''t be), but using a generate.
>
> It seems to be somehow related to lines and their length.
>
> When I try calling this script in a generate and use it as the
> content, the B turns into a space:
[...]

As discussed on IRC, this is only apparently happening when you are  
using networking, so it''s probably an issue with escaping, and
it''s
probably related to #564.

  --
  It is dangerous to be right when the government is wrong.
      -- Voltaire
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

On 8 Jun 2007, at 23:19, Luke Kanies wrote:
> On Jun 8, 2007, at 1:07 PM, Eric Eisenhart wrote:
>
>> I don''t think it''s ERB at all.
>>
>> I''m running into something that sounds basically the same
(spaces
>> where they shouldn''t be), but using a generate.
>>
>> It seems to be somehow related to lines and their length.
>>
>> When I try calling this script in a generate and use it as the
>> content, the B turns into a space:
> [...]
>
> As discussed on IRC, this is only apparently happening when you are
> using networking, so it''s probably an issue with escaping, and
it''s
> probably related to #564.
I never did get to the bottom of the problem. Is bug 564 something  
that''s due to be fixed sometime soon Luke?

Cheers

On Jun 9, 2007, at 8:24 AM, Mark Phillips wrote:
> I never did get to the bottom of the problem. Is bug 564 something
> that''s due to be fixed sometime soon Luke?
Well, it''s my plan to attack it before I release next week, but it  
depends on what the actual problem is.  Hopefully I''ll be able to  
resolve it.

  --
  Always be wary of any helpful item that weighs less than its operating
  manual.  -- Terry Pratchett
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com