Tobias Lott
2010-Nov-09 19:11 UTC
[Puppet Users] Realizing wrong ssh key for the wrong user
Hey Everyone I''ve defined my users in a class called ''user::virtual'' and the included user::server1 class to realize the users for a nodegroup. Problem is puppet is trying to realize all keys for all the user. f.e. user peto gets key peto, tobi0 and tobi1 and user tobi gets peto, tobi0 and tobi1 Manifests http://dpaste.com/273017/ Error message http://dpaste.com/273018/ Thanks everyone -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Tony G.
2010-Nov-09 20:38 UTC
Re: [Puppet Users] Realizing wrong ssh key for the wrong user
Tobias, On Tue, Nov 9, 2010 at 1:11 PM, Tobias Lott <tlott@ebel-syste.ms> wrote:> Hey Everyone > > I''ve defined my users in a class called ''user::virtual'' and the included > user::server1 class to realize the users for a nodegroup. > > Problem is puppet is trying to realize all keys for all the user. > f.e. user peto gets key peto, tobi0 and tobi1 and user tobi gets peto, > tobi0 and tobi1 > > Manifests > http://dpaste.com/273017/ > > Error message > http://dpaste.com/273018/ > >Looks like you need to make sure the homedirectory and your users exist for before attempting to create its ssh_authorized keys. Some metaparameters you might find useful are before, requrie. http://docs.puppetlabs.com/references/2.6.2/metaparameter.html Thanks everyone> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Tony http://blog.tonyskapunk.net -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Tobias Lott
2010-Nov-09 20:47 UTC
Re: [Puppet Users] Realizing wrong ssh key for the wrong user
> Tobias, > > On Tue, Nov 9, 2010 at 1:11 PM, Tobias Lott <tlott@ebel-syste.ms> wrote: > >> Hey Everyone >> >> I''ve defined my users in a class called ''user::virtual'' and the included >> user::server1 class to realize the users for a nodegroup. >> >> Problem is puppet is trying to realize all keys for all the user. >> f.e. user peto gets key peto, tobi0 and tobi1 and user tobi gets peto, >> tobi0 and tobi1 >> >> Manifests >> http://dpaste.com/273017/ >> >> Error message >> http://dpaste.com/273018/ >> >> > Looks like you need to make sure the homedirectory and your users exist > for > before attempting to create its ssh_authorized keys. > > Some metaparameters you might find useful are before, requrie. > http://docs.puppetlabs.com/references/2.6.2/metaparameter.htmlProblem isn''t Directories not getting created but every user is getting ALL ssh keys> > > Thanks everyone >> >> >> -- >> You received this message because you are subscribed to the Google >> Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> >> . >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > > > -- > Tony > http://blog.tonyskapunk.net > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2010-Nov-10 17:10 UTC
[Puppet Users] Re: Realizing wrong ssh key for the wrong user
On Nov 9, 2:47 pm, "Tobias Lott" <tl...@ebel-syste.ms> wrote:> Problem isn''t Directories not getting created but every user is getting > ALL ssh keysI see the error messages appearing to indicate attempts to distribute keys to users who should not have them. The attempts seem not to be successful, however. Do the correct keys successfully get distributed to the correct users, or do all key distribution attempts fail? Are there circumstances under which Puppet genuinely does install keys for users that should not have them? I can imagine that the provider for ssh_authorized_keys may boneheadedly attempt to read authorized_keys files that it doesn''t actually need to read (or write). If you have Puppet installed in a manner that prevents puppetd from successfully accessing those files, then the error messages may simply signal inefficiency, rather than a bona fide attempt to distribute keys incorrectly. Note also that there appears to be a typo in your manifest fragment: key "peto" is assigned to user "petov" (not "peto"). It would be very strange, but within the realm of possibility, if your problem disappeared after you correct that. Regards, John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Tobias Lott
2010-Nov-12 07:50 UTC
Re: [Puppet Users] Re: Realizing wrong ssh key for the wrong user
> > On Nov 9, 2:47 pm, "Tobias Lott" <tl...@ebel-syste.ms> wrote: >> Problem isn''t Directories not getting created but every user is getting >> ALL ssh keys > > I see the error messages appearing to indicate attempts to distribute > keys to users who should not have them. The attempts seem not to be > successful, however. Do the correct keys successfully get distributed > to the correct users, or do all key distribution attempts fail? Are > there circumstances under which Puppet genuinely does install keys for > users that should not have them?Only the correct keys are actually distributed, however this Problem occurs only on some Machines weather its Ubuntu (10.10) 32 or 64 Bit. Additionally the authorized_key files are being flooded with the same keys over and over again. F.e. if one user has only 1 Key its appended almost every run, whats the problem there? I''ve tried to remove the file and let puppet create it, but its still the same.> > I can imagine that the provider for ssh_authorized_keys may > boneheadedly attempt to read authorized_keys files that it doesn''t > actually need to read (or write). If you have Puppet installed in a > manner that prevents puppetd from successfully accessing those files, > then the error messages may simply signal inefficiency, rather than a > bona fide attempt to distribute keys incorrectly. > > Note also that there appears to be a typo in your manifest fragment: > key "peto" is assigned to user "petov" (not "peto"). It would be very > strange, but within the realm of possibility, if your problem > disappeared after you correct that.True was a typo, but didn''t fix it.> > > Regards, > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
jcbollinger
2010-Nov-12 14:27 UTC
[Puppet Users] Re: Realizing wrong ssh key for the wrong user
On Nov 12, 1:50 am, "Tobias Lott" <tl...@ebel-syste.ms> wrote:> Only the correct keys are actually distributed, however this Problem > occurs only on some Machines weather its Ubuntu (10.10) 32 or 64 Bit.> Additionally the authorized_key files are being flooded with the same keys > over and over again. > F.e. if one user has only 1 Key its appended almost every run, whats the > problem there?I speculate that puppetd is being prevented from reading (some of the) authorized_keys files when it attempts to determine which keys are already installed. That would explain the error messages you reported. Somehow it can still create or update at least some of the files, however; that would explain the key duplication. Being able to write but not read a file would be very screwy, but by no means impossible. Since the problem appears only on some systems, comparing systems on which it works to systems on which it doesn''t may be illuminating. Particular things to consider: * Is the Puppet client running as root? * Is SELinux enabled in enforcing mode? * Are user home directories mounted via NFS with root-squashing, such that the local root user does not have privileged accss to them? * Do any relevant files or directories (including parent directories) have strange permissions? For instance, directories with execute (or read) permission disabled? * Generally, is there some other mechanism that may be denying puppetd access to the authorized_keys files? Altthough the key duplication could easily be a symptom of the same underlying issue as the error messages, it could also reflect a separate issue. Compare the keys as installed on the client to the definitions in your manifest -- do you see anything that could explain Puppet not recognizing the installed key as the same one it wants to ensure present?> I''ve tried to remove the file and let puppet create it, but its still the > same.Is there anything unusual about the authorized_key files that result from this treatment? For example, unexpected UID/GID or permissions? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.