Feature #1581
Ability to purge .ssh/authorized_keys
| Status: | Accepted | Start date: | 09/19/2008 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Francois Deppierraz |
% Done: | 0% |
|
| Category: | ssh | |||
| Target version: | - | |||
| Affected Puppet version: | 0.24.4 | Branch: | ||
| Keywords: | ||||
| Votes: | 18 |
Description
As I’m new to puppet i’ll try to describe this as good as i can.
I wanted to use the ssh_authorized_key type to add keys to ssh. After a discussion on irc i was suggested to use virtual resources and realize each key for each class needed. This worked well for me.
However i am not able to purge all other keys from the authorized_keys file without either specifying the comment or by copying an empty file there before adding the keys, which causes the system to lock up until the update is done.
I tried using resources{} type, but as ssh_authorized_key doesn’t support “self.instances” this was also of no success.
The feature i’d like to have is an implementation of “instances” so resources{} works for authorized_keys.
History
Updated by James Turnbull over 3 years ago
- Category set to ssh
- Status changed from Unreviewed to Accepted
- Assignee set to Puppet Community
- Target version set to 4
Updated by Francois Deppierraz over 3 years ago
- Assignee changed from Puppet Community to Francois Deppierraz
Updated by Paul Lathrop over 2 years ago
Well, I tried to dig into this one today and I think the OP’s analysis is incorrect. ssh_authorized_keys derives from ParsedFile, which does have instances defined. AFAICT, ssh_authorized_keys should be able to be purged; it doesn’t do anything all that differently from the hosts provider.
Updated by Francois Deppierraz over 2 years ago
Hi Paul,
Yes, ParsedFile has support for purging resources. But, for this to work with that particular type, it needs prior knowledge of all authorized_keys files present on the system.
Updated by Ioannis Aslanidis 10 months ago
Can we see this happening in 2.6.x?
Updated by James Turnbull 9 months ago
- Target version deleted (
4)
Updated by Justin Lambert 9 months ago
This would be a very nice feature to have to help ensure that nobody has added a key without our knowledge. Currently we push out a file to ensure that, but managing the resource would be preferred.
Updated by Job Snijders 6 months ago
Justin Lambert wrote:
This would be a very nice feature to have to help ensure that nobody has added a key without our knowledge. Currently we push out a file to ensure that, but managing the resource would be preferred.
I agree. This bug affects me too. (puppet 2.7.6-1 from debian unstable)
Updated by David Schmitt 3 months ago
As a first step, it might be enough to purge only the keys of users who have any key managed by puppet. This way it would avoid having to look at all users (which, admittedly might be way to many).
Updated by Chris Hozian 25 days ago
A temporary workaround bypassing the ssh_authorized_key resource is shown at http://serverfault.com/questions/316062/using-puppet-to-remove-ssh-keys-not-explicitly-allowed.
Updated by Nathaniel Cook 19 days ago
Has there been any progress on fixing this? The workaround suggested could work but would require a large refactor to our system.