Puppet users - Dec 2009 - Newbie trying ModuleSSHAuth : getting resource Ssh_auth_key_namecheck[id_rsa] already exists.

Hi,

I''m new to puppet and trying some simple things. Especially, I
followed the doc @
http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth
to manage ssh keys.

Everything went well until I tried with more than one user! If I try
to add another user key, ie :

ssh::auth::key { ["user1", "user2"]: }

then I get a "puppetmasterd[10022]: Puppet::Parser::AST::Resource
failed with error ArgumentError: Cannot alias Ssh_auth_key_namecheck
[user2-filename] to id_rsa; resource Ssh_auth_key_namecheck[id_rsa]
already exists at /etc/puppet/modules/ssh/manifests/auth.pp:48 on
node ..."

It sounds like a resource uniqueness problem, but i don''t know how to
work around this ...


Thanks for any tip ;)

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> I''m new to puppet and trying some simple things. Especially, I
> followed the doc @
http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth
> to manage ssh keys.
> 
> Everything went well until I tried with more than one user! If I try
> to add another user key, ie :
> 
> ssh::auth::key { ["user1", "user2"]: }
> 
> then I get a "puppetmasterd[10022]: Puppet::Parser::AST::Resource
> failed with error ArgumentError: Cannot alias Ssh_auth_key_namecheck
> [user2-filename] to id_rsa; resource Ssh_auth_key_namecheck[id_rsa]
> already exists at /etc/puppet/modules/ssh/manifests/auth.pp:48 on
> node ..."
Kassec, thanks for the report.  I''ve fixed this and uploaded a new
version of
ssh::auth (release 0.3.1).  Please download it and try again, and let me know
how it goes.  Andrew.

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Dec 28, 11:23 am, Andrew Schulman <google-groups-
and...@sneakemail.com> wrote:
> Kassec, thanks for the report.  I''ve fixed this and uploaded a new
version of
> ssh::auth (release 0.3.1).  Please download it and try again, and let me
know
> how it goes.  Andrew.
Better ;) Thank you. I would have been unable to find this patch by
myself !


Still I have something I don''t understand. With the following I expect
to log in as user1 with user2 key pair :

class user::virtuals {

        @user { "user1":
                uid     => "1001",
                gid     => "group",
                comment => "name",
                home    => "/home/user1",
        }
        ssh::auth::key { "user1@lan": }
        @user { "user2":
                uid     => "1003",
                gid     => "group",
                comment => "name",
                home    => "/home/user2",
        }
        ssh::auth::key { "user2@lan": }
}

class user::admins inherits user::virtuals {

        realize User["user1"]

        ssh::auth::client { "user1@lan": }

        ssh::auth::server { "user1@lan": }
        ssh::auth::server { "user2@lan": user => "user1"
}
}

node node1 {
        include user::admins
}

I get :

puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
Ssh_auth_key_server[user2@lan]/File[/home/user2/.ssh/authorized_keys]/
ensure) change from absent to present failed: Could not set present on
ensure: No such file or directory - /home/user2/.ssh/authorized_keys
at /etc/puppet/modules/ssh/manifests/auth.pp:311
puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
Ssh_auth_key_server[user2@lan]/Ssh_authorized_key[user2@lan]/ensure)
created
puppetd[6286]: Got an uncaught exception of type Errno::ENOENT: No
such file or directory - /home/user2/.ssh

And user2@lan''s key is not installed into user1''s
authorized_keys.
Anything I did wrong ?

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Better ;) Thank you. I would have been unable to find this patch by
> myself !
Well thanks for testing.  I test on my own installation but 
> Still I have something I don''t understand. With the following I
expect
> to log in as user1 with user2 key pair :
> 
> class user::virtuals {
> 
>         @user { "user1":
>                 uid     => "1001",
>                 gid     => "group",
>                 comment => "name",
>                 home    => "/home/user1",
>         }
>         ssh::auth::key { "user1@lan": }
>         @user { "user2":
>                 uid     => "1003",
>                 gid     => "group",
>                 comment => "name",
>                 home    => "/home/user2",
>         }
>         ssh::auth::key { "user2@lan": }
> }
> 
> class user::admins inherits user::virtuals {
> 
>         realize User["user1"]
> 
>         ssh::auth::client { "user1@lan": }
> 
>         ssh::auth::server { "user1@lan": }
>         ssh::auth::server { "user2@lan": user =>
"user1" }
> }
> 
> node node1 {
>         include user::admins
> }
> 
> I get :
> 
> puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
> Ssh_auth_key_server[user2@lan]/File[/home/user2/.ssh/authorized_keys]/
> ensure) change from absent to present failed: Could not set present on
> ensure: No such file or directory - /home/user2/.ssh/authorized_keys
> at /etc/puppet/modules/ssh/manifests/auth.pp:311
> puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
> Ssh_auth_key_server[user2@lan]/Ssh_authorized_key[user2@lan]/ensure)
> created
> puppetd[6286]: Got an uncaught exception of type Errno::ENOENT: No
> such file or directory - /home/user2/.ssh
> 
> And user2@lan''s key is not installed into user1''s
authorized_keys.
> Anything I did wrong ?
No, your code is right.  It''s a bug in ssh::auth.  I''m working
on this and
hope to post a fix shortly.

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Dec 28, 11:06 pm, Andrew Schulman <google-groups-
and...@sneakemail.com> wrote:
> > Better ;) Thank you. I would have been unable to find this patch by
> > myself !
>
> Well thanks for testing.  I test on my own installation but
>
>
>
>
>
> > Still I have something I don''t understand. With the following
I expect
> > to log in as user1 with user2 key pair :
>
> > class user::virtuals {
>
> >         @user { "user1":
> >                 uid     => "1001",
> >                 gid     => "group",
> >                 comment => "name",
> >                 home    => "/home/user1",
> >         }
> >         ssh::auth::key { "user1@lan": }
> >         @user { "user2":
> >                 uid     => "1003",
> >                 gid     => "group",
> >                 comment => "name",
> >                 home    => "/home/user2",
> >         }
> >         ssh::auth::key { "user2@lan": }
> > }
>
> > class user::admins inherits user::virtuals {
>
> >         realize User["user1"]
>
> >         ssh::auth::client { "user1@lan": }
>
> >         ssh::auth::server { "user1@lan": }
> >         ssh::auth::server { "user2@lan": user =>
"user1" }
> > }
>
> > node node1 {
> >         include user::admins
> > }
>
> > I get :
>
> > puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
> > Ssh_auth_key_server[user2@lan]/File[/home/user2/.ssh/authorized_keys]/
> > ensure) change from absent to present failed: Could not set present on
> > ensure: No such file or directory - /home/user2/.ssh/authorized_keys
> > at /etc/puppet/modules/ssh/manifests/auth.pp:311
> > puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
> > Ssh_auth_key_server[user2@lan]/Ssh_authorized_key[user2@lan]/ensure)
> > created
> > puppetd[6286]: Got an uncaught exception of type Errno::ENOENT: No
> > such file or directory - /home/user2/.ssh
>
> > And user2@lan''s key is not installed into user1''s
authorized_keys.
> > Anything I did wrong ?
>
> No, your code is right.  It''s a bug in ssh::auth.  I''m
working on this and
> hope to post a fix shortly.
Andrew, while you''re in your code, can you let me know how I can
achieve this :

ssh::auth::server { "user2@lan": user => "user1" }
ssh::auth::server { "user2@lan": user => "root" }

I would like my big admin user to get access to several accounts. Is
there any trick that would do or does auth.pp needs more
functionnality ?

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Andrew, while you''re in your code, can you let me know how I can
> achieve this :
> 
> ssh::auth::server { "user2@lan": user => "user1" }
> ssh::auth::server { "user2@lan": user => "root" }
> 
> I would like my big admin user to get access to several accounts. Is
> there any trick that would do or does auth.pp needs more
> functionnality ?
At present this isn''t possible for a single key.  The key title has to
be
unique, and the user parameter doesn''t accept an array argument.  I see
the
usefulness and will add it to my to-do list.

For now, the workaround is to giver user2 multiple keys-- one for each user that
you want him to authenticate as.  Which the examples say there''s no
good reason
to do :(  If you''re running ssh-agent, you can add all of the keys to
your
running agent.  Then ssh will try them all and so eventually find the right one,
provided that the number of keys is less than MaxAuthTries on the server :(

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Still I have something I don''t understand. With the following I
expect
> to log in as user1 with user2 key pair :
> 
> class user::virtuals {
> 
>         @user { "user1":
>                 uid     => "1001",
>                 gid     => "group",
>                 comment => "name",
>                 home    => "/home/user1",
>         }
>         ssh::auth::key { "user1@lan": }
>         @user { "user2":
>                 uid     => "1003",
>                 gid     => "group",
>                 comment => "name",
>                 home    => "/home/user2",
>         }
>         ssh::auth::key { "user2@lan": }
> }
> 
> class user::admins inherits user::virtuals {
> 
>         realize User["user1"]
> 
>         ssh::auth::client { "user1@lan": }
> 
>         ssh::auth::server { "user1@lan": }
>         ssh::auth::server { "user2@lan": user =>
"user1" }
> }
> 
> node node1 {
>         include user::admins
> }
> 
> I get :
> 
> puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
> Ssh_auth_key_server[user2@lan]/File[/home/user2/.ssh/authorized_keys]/
> ensure) change from absent to present failed: Could not set present on
> ensure: No such file or directory - /home/user2/.ssh/authorized_keys
> at /etc/puppet/modules/ssh/manifests/auth.pp:311
> puppetd[6286]: (//user::virtuals/Ssh::Auth::Key[user2@lan]/
> Ssh_auth_key_server[user2@lan]/Ssh_authorized_key[user2@lan]/ensure)
> created
> puppetd[6286]: Got an uncaught exception of type Errno::ENOENT: No
> such file or directory - /home/user2/.ssh
There are actually two problems here:

(1) ssh::auth was trying to authorize the user2@lan key in the wrong place, i.e.
in /home/user2/.ssh/authorized_keys.  I just uploaded a new release, 0.3.2, that
fixes this problem.

(2) $home/.ssh didn''t exist (in this case it was incorrectly
/home/user2/.ssh,
but the same problem could hold for the correct /home/user1/.ssh).  At first I
thought that ssh::auth could create and manage that directory for you, but after
some trying it became clear that it can''t, because there''s no
way to guarantee
that the declaration of that directory is unique.  So the site administrator is
going to have to be responsible for managing $home/.ssh.  I''ve updated
Example 1
and the Detailed Usage in the docs to show this.

Please test and report!

Thanks,
Andrew.

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Dec 29, 1:10 pm, Andrew Schulman <google-groups-
and...@sneakemail.com> wrote:
> There are actually two problems here:
>
> (1) ssh::auth was trying to authorize the user2@lan key in the wrong place,
i.e.
> in /home/user2/.ssh/authorized_keys.  I just uploaded a new release, 0.3.2,
that
> fixes this problem.
Looks Fine.

I spent some time to find the subtle difference (regarding $home)
between :

        ssh::auth::server { "root@ssh": }

And :

        ssh::auth::server { "root@ssh":
                user    => "root",
        }

;)

Just find me a way of installing one key into several user''s
authorized_keys and I''ll be your happiest user ever !

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> I spent some time to find the subtle difference (regarding $home)
> between :
> 
>         ssh::auth::server { "root@ssh": }
> 
> And :
> 
>         ssh::auth::server { "root@ssh":
>                 user    => "root",
>         }
> 
> ;)
Please, enlighten me.  If it''s not right, I''ll correct it.
> Just find me a way of installing one key into several user''s
> authorized_keys and I''ll be your happiest user ever !
I''m looking into it.
Andrew.

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Oops, I''ve been too fast. When I try to ssh::auth::key (realize
Ssh::Auth::Key["$keyname"]) and ssh::auth::server without
ssh::auth::client on a node, it fails on the master :

err: Failed to realize virtual resources Ssh::Auth::Key[xxx@ssh]


I ran the server in debug and didn''t get any more information about
this failure.


On Dec 31, 1:20 am, Andrew Schulman <google-groups-
and...@sneakemail.com> wrote:
> > I spent some time to find the subtle difference (regarding $home)
> > between :
>
> >         ssh::auth::server { "root@ssh": }
>
> > And :
>
> >         ssh::auth::server { "root@ssh":
> >                 user    => "root",
> >         }
>
> > ;)
>
> Please, enlighten me.  If it''s not right, I''ll correct
it.
What surprised me and made me loose some time to understand was the
default "/home" you add in your code. I hate "hidden"
defaults ...
Perhaps you could either : update your doc about this default or just
remove it ... My feeling is not to have defaults in the code since
this isn''t reliable over time: just remove it and force users to code
it. This is just my advice and any default won''t hurt me anymore since
I now force this parameter ;)

For my code, I use a lot of "xxx_prefix" parameters. I set them once
with default values and I can still change them later, on a case by
case basis.


> > Just find me a way of installing one key into several user''s
> > authorized_keys and I''ll be your happiest user ever !
>
> I''m looking into it.
I''d like to see how ... Will certainly be a good puppet lesson for
me ;)

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> Oops, I''ve been too fast. When I try to ssh::auth::key (realize
> Ssh::Auth::Key["$keyname"]) and ssh::auth::server without
> ssh::auth::client on a node, it fails on the master :
> 
> err: Failed to realize virtual resources Ssh::Auth::Key[xxx@ssh]
ssh::auth::key can''t be made into a virtual resource at present, so

  realize Ssh::Auth::Key[$keyname] # INCORRECT

isn''t the right usage.  The right usage is as shown in
http://www.reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth#basic-usage.

However, I am thinking of changing to a virtual-resource type of interface.
That''s what the "unstable" note at the top of
http://www.reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth is about. So
instead of writing e.g.

  ssh::auth::key { "alice": }
  node sshserver { ssh::auth::server { "alice": } }

you might write something like

  @ssh::auth::key { "alice": }
  node sshserver { realize Ssh::Auth::Key { "alice": } }

There are some complications to this, and I haven''t decided yet which
method is
best.  But for now, you''ll have to stick with the first method.
> > > I spent some time to find the subtle difference (regarding $home)
> > > between :
> >
> > >         ssh::auth::server { "root@ssh": }
> >
> > > And :
> >
> > >         ssh::auth::server { "root@ssh":
> > >                 user    => "root",
> > >         }
> >
> > > ;)
> >
> > Please, enlighten me.  If it''s not right, I''ll
correct it.
> 
> What surprised me and made me loose some time to understand was the
> default "/home" you add in your code. I hate "hidden"
defaults ...
> Perhaps you could either : update your doc about this default or just
> remove it ... My feeling is not to have defaults in the code since
> this isn''t reliable over time: just remove it and force users to
code
> it. This is just my advice and any default won''t hurt me anymore
since
> I now force this parameter ;)
http://www.reductivelabs.com/trac/puppet/wiki/Recipes/ModuleSSHAuth#home clearly
states that the default is /home/$user.  Of course that isn''t generally
right
for root or for other system users, but it can be overridden as you say.

But what I thought I understood you to say is that the two cases mentioned above
give different values of $home.  That shouldn''t happen, but it might if
you
specify $home in ssh::auth::key, and $user but not $home in ssh::auth::server or
::client.  I''ll look into that too.
> > > Just find me a way of installing one key into several
user''s
> > > authorized_keys and I''ll be your happiest user ever !
> >
> > I''m looking into it.
> 
> I''d like to see how ... Will certainly be a good puppet lesson for
> me ;)
And for me too :|  Frankly, on first look I doubt that it can be done in just
Puppet, without dropping into Ruby.  The problem is that Puppet''s array
handling
is very primitive.  You can loop over arrays using defines, but that''s
about
all, and it may not be enough for this case.

I suspect that the solution to this problem will only come by converting the
ssh::auth defines into native Ruby types.  I''d like to do that
eventually, in
order to do some of the processing in a more straightforward way, and probably
get better performance too.  But it would take a fairly large amount of time,
and I''m not sure that I have it.

Andrew.

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to
puppet-users-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.