I had to write up a quick *.pp to push out SSH keys for our nagios
user, while I work on a better solution for managing these. To my
surprise, I found multiples (100 or more?) of the same key in the
authorized_keys file, which is definitely wrong. I''m including the
simple code below -- can someone please advise me on what the problem
is??
The section that handles the virtual user seems to be fine.
Thanks in advance...
class nagios-ssh-keys {
file { "/home/nagios/.ssh":
require => User["nagios"],
ensure => directory,
owner => "nagios",
group => "staff",
mode => "700",
}
ssh_authorized_key { "nagios":
ensure => present,
key => "AAAA[snip]== nagios@host",
user => "nagios",
type => "ssh-dss",
# require => User["nagios"],
tag => "system",
}
} # ssh-keys
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Apr 11, 2011, at 1:40 PM, Forrie wrote:> ssh_authorized_key { "nagios": > ensure => present, > key => "AAAA[snip]== nagios@host", > user => "nagios", > type => "ssh-dss", > # require => User["nagios"], > tag => "system", > }I believe I remember hearing this can happen if you include things other than the key in the key field. Try removing "nagios@host" from the key field and see if it''s fixed. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stefan Schulte
2011-Apr-11 21:14 UTC
Re: [Puppet Users] Problem with pushing ssh_authorized_keys
On Mon, Apr 11, 2011 at 01:40:42PM -0700, Forrie wrote:> I had to write up a quick *.pp to push out SSH keys for our nagios > user, while I work on a better solution for managing these. To my > surprise, I found multiples (100 or more?) of the same key in the > authorized_keys file, which is definitely wrong. I''m including the > simple code below -- can someone please advise me on what the problem > is?? > > The section that handles the virtual user seems to be fine. > > Thanks in advance... > > > > class nagios-ssh-keys { > > file { "/home/nagios/.ssh": > require => User["nagios"], > ensure => directory, > owner => "nagios", > group => "staff", > mode => "700", > } > > ssh_authorized_key { "nagios": > ensure => present, > key => "AAAA[snip]== nagios@host", > user => "nagios", > type => "ssh-dss", > # require => User["nagios"], > tag => "system", > } > > } # ssh-keysHi, what you''re specifying as a key is acutally a key (AAA...) and a comment (nagios@host). As a result puppet will most likely write a corrupt entry to your authorized_key file (because puppet will append the resource''s title »nagios« as a comment to your key) and it will not recognize the key when you run puppet the next time (because puppet will parse every line, extract the comment and try to find a resource with that name). So puppet will always think that the key is absent and will then add it to the file. Solution: Dont specify a comment with the key property (at least dont use whitespaces because they are field delimiters in the target file) -Stefan
Thanks, this was the problem. Sounds like a bug to me.. ? How can I go through my systems and remove all the 10''s of redundant SSH-DSS keys that have the comment in them? I dread doing that by hand :-) Thanks again. On Apr 11, 5:12 pm, Patrick <kc7...@gmail.com> wrote:> On Apr 11, 2011, at 1:40 PM, Forrie wrote: > > > ssh_authorized_key { "nagios": > > ensure => present, > > key => "AAAA[snip]== nagios@host", > > user => "nagios", > > type => "ssh-dss", > > # require => User["nagios"], > > tag => "system", > > } > > I believe I remember hearing this can happen if you include things other than the key in the key field. Try removing "nagios@host" from the key field and see if it''s fixed.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick
2011-Apr-11 21:59 UTC
Re: [Puppet Users] Re: Problem with pushing ssh_authorized_keys
On Apr 11, 2011, at 2:22 PM, Forrie wrote:> Thanks, this was the problem. Sounds like a bug to me.. ? > > How can I go through my systems and remove all the 10''s of redundant > SSH-DSS keys that have the comment in them? I dread doing that by > hand :-)Well, you can push out an empty file, and then repopulate it. Is there stuff in that file you want to keep? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Scott Smith
2011-Apr-12 00:16 UTC
Re: [Puppet Users] Re: Problem with pushing ssh_authorized_keys
Egrep -v ''pubkey'' ? On Apr 11, 2011 2:22 PM, "Forrie" <forrie@gmail.com> wrote:> Thanks, this was the problem. Sounds like a bug to me.. ? > > How can I go through my systems and remove all the 10''s of redundant > SSH-DSS keys that have the comment in them? I dread doing that by > hand :-) > > > Thanks again. > > > On Apr 11, 5:12 pm, Patrick <kc7...@gmail.com> wrote: >> On Apr 11, 2011, at 1:40 PM, Forrie wrote: >> >> > ssh_authorized_key { "nagios": >> > ensure => present, >> > key => "AAAA[snip]== nagios@host", >> > user => "nagios", >> > type => "ssh-dss", >> > # require => User["nagios"], >> > tag => "system", >> > } >> >> I believe I remember hearing this can happen if you include things otherthan the key in the key field. Try removing "nagios@host" from the key field and see if it''s fixed.> > -- > You received this message because you are subscribed to the Google Groups"Puppet Users" group.> To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email topuppet-users+unsubscribe@googlegroups.com.> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nico -telmich- Schottelius
2011-Apr-12 07:37 UTC
Re: [Puppet Users] Re: Problem with pushing ssh_authorized_keys
Forrie [Mon, Apr 11, 2011 at 02:22:03PM -0700]:> Thanks, this was the problem. Sounds like a bug to me.. ? > > How can I go through my systems and remove all the 10''s of redundant > SSH-DSS keys that have the comment in them? I dread doing that by > hand :-)In cdist[0] we''ve a type __removeline that ensures a given line is not in a file. In puppet creating a new file[] with the content you want to have is probably the easiest solution and afterwards to populate it again in the normal way. Cheers, Nico [0] http://www.nico.schottelius.org/software/cdist/ -- PGP key: 7ED9 F7D3 6B10 81D7 0EC5 5C09 D7DC C8E4 3187 7DF0 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.