I''ve got a situation where a manifest fails when writing one particular
key
for a user. What I have is a manifest that looks like this:
class my::accounts () {
Ssh_authorized_key {
ensure => present,
type => ssh-dss,
}
Then, after making sure the user, group, and authorized_keys2 file exist:
ssh_authorized_key { "key-name-1":
key => "omitted",
user => "user",
target => "/home/user/.ssh/authorized_keys2",
require => File["/home/user/.ssh/authorized_keys2"],
}
There''s a lengthy series of these -- most of them work, but one will
fail
with this error:
Error: Puppet::Util::FileType::FileTypeFlat could not write
/home/user/.ssh/authorized_keys2: Permission denied -
/home/user/.ssh/authorized_keys2
Error: /Stage[main]/My::Accounts/Ssh_authorized_key[key-name-8]: Could not
evaluate: Puppet::Util::FileType::FileTypeFlat could nto write
/home/xmmgr/.ssh/authorized_keys2: Permission denied -
/home/user/.ssh/authorized_keys2
This is not the first nor the last key, and I get around 19 entries in the
file, so I''m not seeing why this one in particular is failing.
Structurally, it looks exactly like all the others. Any ideas?
Thanks!
*
*
*Bret Wortman*
<http://damascusgrp.com/>
http://damascusgrp.com/ <http://bretwortman.com/>
http://twitter.com/BretWortman
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
I see this all the time. It happens due to lacks in the ssh_authorized_key type
and the error message isn''t very helpful.
If the type sees something that it doesn''t understand in the file this
will happen, also when it runs into things that it does not support. I had a
user change from dsa to rsa key and that caused this error on every system that
had the old key. This also blocks other things in the manifest from running.
Usually I just delete the bad files and let puppet recreate them. But you could
also just remove the bad entries.
Steven
Date: Tue, 7 May 2013 10:11:44 -0400
Subject: [Puppet Users] Trouble writing authorized_keys2
From: bret.wortman@damascusgrp.com
To: puppet-users@googlegroups.com
I''ve got a situation where a manifest fails when writing one particular
key for a user. What I have is a manifest that looks like this:
class my::accounts () {
Ssh_authorized_key { ensure => present, type => ssh-dss,
}
Then, after making sure the user, group, and authorized_keys2 file exist:
ssh_authorized_key { "key-name-1": key =>
"omitted", user => "user", target =>
"/home/user/.ssh/authorized_keys2",
require => File["/home/user/.ssh/authorized_keys2"], }
There''s a lengthy series of these -- most of them work, but one will
fail with this error:
Error: Puppet::Util::FileType::FileTypeFlat could not write
/home/user/.ssh/authorized_keys2: Permission denied -
/home/user/.ssh/authorized_keys2Error:
/Stage[main]/My::Accounts/Ssh_authorized_key[key-name-8]: Could not evaluate:
Puppet::Util::FileType::FileTypeFlat could nto write
/home/xmmgr/.ssh/authorized_keys2: Permission denied -
/home/user/.ssh/authorized_keys2
This is not the first nor the last key, and I get around 19 entries in the file,
so I''m not seeing why this one in particular is failing. Structurally,
it looks exactly like all the others. Any ideas?
Thanks!
Bret Wortman
http://damascusgrp.com/
http://twitter.com/BretWortman
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
On Tue, 7 May 2013 10:11:44 -0400 Bret Wortman <bret.wortman@damascusgrp.com> wrote:> I''ve got a situation where a manifest fails when writing one > particular key for a user. What I have is a manifest that looks like > this: > > class my::accounts () { > > Ssh_authorized_key { > ensure => present, > type => ssh-dss, > } > > Then, after making sure the user, group, and authorized_keys2 file > exist: > > ssh_authorized_key { "key-name-1": > key => "omitted", > user => "user", > target => "/home/user/.ssh/authorized_keys2", > require => File["/home/user/.ssh/authorized_keys2"], > } > > There''s a lengthy series of these -- most of them work, but one will > fail with this error: > > Error: Puppet::Util::FileType::FileTypeFlat could not write > /home/user/.ssh/authorized_keys2: Permission denied - > /home/user/.ssh/authorized_keys2 > Error: /Stage[main]/My::Accounts/Ssh_authorized_key[key-name-8]: > Could not evaluate: Puppet::Util::FileType::FileTypeFlat could nto > write /home/xmmgr/.ssh/authorized_keys2: Permission denied - > /home/user/.ssh/authorized_keys2 > > This is not the first nor the last key, and I get around 19 entries > in the file, so I''m not seeing why this one in particular is failing. > Structurally, it looks exactly like all the others. Any ideas? > > Thanks! >Do you also see notice messages about changing targets? If a ssh key is already present in targetA and you specifiy targetB in your manifest, puppet will try to migrate the key from targetA to targetB. As a result puppet has to rewrite both targetA (remove the key) and targetB (add the key) and there is a know bug where puppet tries to write the files with the wrong user context (hence the Permission denied messages). So if you see "target change" events, you''ll probably hit http://projects.puppetlabs.com/issues/10850#note-12 -Stefan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
I ended up deleting the whole .ssh directory for these users and that resolved the problem. It''s also worked well on new systems now, so I think I''m out of the woods. Thanks for the pointers! On Tuesday, May 7, 2013 2:09:40 PM UTC-4, Stefan Schulte wrote:> > On Tue, 7 May 2013 10:11:44 -0400 > Bret Wortman <bret.w...@damascusgrp.com <javascript:>> wrote: > > > I''ve got a situation where a manifest fails when writing one > > particular key for a user. What I have is a manifest that looks like > > this: > > > > class my::accounts () { > > > > Ssh_authorized_key { > > ensure => present, > > type => ssh-dss, > > } > > > > Then, after making sure the user, group, and authorized_keys2 file > > exist: > > > > ssh_authorized_key { "key-name-1": > > key => "omitted", > > user => "user", > > target => "/home/user/.ssh/authorized_keys2", > > require => File["/home/user/.ssh/authorized_keys2"], > > } > > > > There''s a lengthy series of these -- most of them work, but one will > > fail with this error: > > > > Error: Puppet::Util::FileType::FileTypeFlat could not write > > /home/user/.ssh/authorized_keys2: Permission denied - > > /home/user/.ssh/authorized_keys2 > > Error: /Stage[main]/My::Accounts/Ssh_authorized_key[key-name-8]: > > Could not evaluate: Puppet::Util::FileType::FileTypeFlat could nto > > write /home/xmmgr/.ssh/authorized_keys2: Permission denied - > > /home/user/.ssh/authorized_keys2 > > > > This is not the first nor the last key, and I get around 19 entries > > in the file, so I''m not seeing why this one in particular is failing. > > Structurally, it looks exactly like all the others. Any ideas? > > > > Thanks! > > > > Do you also see notice messages about changing targets? If a ssh key is > already present in targetA and you specifiy targetB in your manifest, > puppet will try to migrate the key from targetA to targetB. As a result > puppet has to rewrite both targetA (remove the key) and targetB (add > the key) and there is a know bug where puppet tries to write the files > with the wrong user context (hence the Permission denied messages). > > So if you see "target change" events, you''ll probably hit > http://projects.puppetlabs.com/issues/10850#note-12 > > -Stefan >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.