Bug #1799

Sshkey exported resource with wrong hostname

Added by anarcat - over 3 years ago. Updated about 2 years ago.

Status:Rejected Start date:12/06/2008
Priority:Normal Due date:
Assignee:- % Done:

0%
Category:ssh
Target version:-
Affected Puppet version:0.24.5 Branch:
Keywords:
Votes: 0

Description

It seems there was a regression at some point on 0.24.5 or before that broke the sshkey exported resources. I’m using the sshd module described at https://labs.riseup.net/code/repositories/browse/module-sshd/manifests to manage my /etc/ssh/ssh_known_hosts file. This does the following:

    # Now collect all server keys
    Sshkey <<||>>

and on the servers:

      @@sshkey{"$fqdn":
        type => ssh-rsa,
        key => $sshrsakey_key,
        ensure => present,
      }

I confirm the resources are stored in the sqlite database:

sqlite> select resources.id,resources.title,resources.restype,hosts.name from resources  JOIN hosts on host_id = hosts.id where restype='Sshkey';
1462399|puppet.koumbit.net|Sshkey|puppet.koumbit.net
1463032|shell.koumbit.net|Sshkey|shell.koumbit.net
1463089|puppet.koumbit.net|Sshkey|alexandria.koumbit.net
1463152|puppet.koumbit.net|Sshkey|log.koumbit.net
1463193|puppet.koumbit.net|Sshkey|alternc.koumbit.net
1463316|puppet.koumbit.net|Sshkey|demeter.koumbit.net
1463360|puppet.koumbit.net|Sshkey|nagios.koumbit.net
1463419|puppet.koumbit.net|Sshkey|auth.koumbit.net
1463450|puppet.koumbit.net|Sshkey|ns3.koumbit.net
1463480|puppet.koumbit.net|Sshkey|vozmob.koumbit.net
1463547|puppet.koumbit.net|Sshkey|hostmaster.koumbit.net
1463581|puppet.koumbit.net|Sshkey|chronos.koumbit.net
1463634|puppet.koumbit.net|Sshkey|cache1.koumbit.net
1463682|puppet.koumbit.net|Sshkey|cache0.koumbit.net
1463732|puppet.koumbit.net|Sshkey|filet.koumbit.net
1463778|puppet.koumbit.net|Sshkey|hesiode.koumbit.net

Notice how the title of the resource is always the same regardless of the host the resource was exported from… I don’t think this is normal, so I tried fixing that:

sqlite> insert OR REPLACE into resources  select resources.id,hosts.name,resources.restype,host_id,resources.source_file_id,exported,line,resources.updated_at from resources  JOIN hosts on host_id = hosts.id where restype='Sshkey';
sqlite> select resources.id,resources.title,resources.restype,hosts.name from resources  JOIN hosts on host_id = hosts.id where restype='Sshkey';
1462399|puppet.koumbit.net|Sshkey|puppet.koumbit.net
1463032|shell.koumbit.net|Sshkey|shell.koumbit.net
1463089|alexandria.koumbit.net|Sshkey|alexandria.koumbit.net
1463152|log.koumbit.net|Sshkey|log.koumbit.net
1463193|alternc.koumbit.net|Sshkey|alternc.koumbit.net
1463316|demeter.koumbit.net|Sshkey|demeter.koumbit.net
1463360|nagios.koumbit.net|Sshkey|nagios.koumbit.net
1463419|auth.koumbit.net|Sshkey|auth.koumbit.net
1463450|ns3.koumbit.net|Sshkey|ns3.koumbit.net
1463480|vozmob.koumbit.net|Sshkey|vozmob.koumbit.net
1463547|hostmaster.koumbit.net|Sshkey|hostmaster.koumbit.net
1463581|chronos.koumbit.net|Sshkey|chronos.koumbit.net
1463634|cache1.koumbit.net|Sshkey|cache1.koumbit.net
1463682|cache0.koumbit.net|Sshkey|cache0.koumbit.net
1463732|filet.koumbit.net|Sshkey|filet.koumbit.net
1463778|hesiode.koumbit.net|Sshkey|hesiode.koumbit.net

that didn’t work: running the catalog still doesn’t create proper keys for all those hosts in the hosts file.

History

#1
Updated by anarcat - over 3 years ago

  • Status changed from Unreviewed to Rejected

So the issue was in the module I’m using. It was doing this:

  case $sshrsakey_key {             
    '': { info("no sshrsakey on $fqdn") }
    default: {
      @@sshkey{"$hostname.$domain":
        type => ssh-rsa,        
        key => $sshrsakey_key,      
        ensure => present,
      }
    }
  }

It’s a subtle error: the $sshrsakey_key has been renamed in later versions of facter, so it’s now $sshrsakey.

So this whole thing is a typical error of not-exported resource. The @@sshkey line was never being run on the node. The info() was never displayed in my logs for some reason too.

The proper code is this:

  case $sshrsakey {             
    '': { info("no sshrsakey on $fqdn") }
    default: {
      @@sshkey{"$hostname.$domain":
        type => ssh-rsa,        
        key => $sshrsakey,      
        ensure => present,
      }
    }
  }

I will commit the fix to our repository and expect micah to pull it fairly soon.

Sorry for the noise.

Also available in: Atom PDF