Bug #2352
ssh_authorized_key can create files it can't parse
| Status: | Accepted | Start date: | 06/19/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | ssh | |||
| Target version: | 2.7.x | |||
| Affected Puppet version: | 0.24.8 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
I have put all the keys in individual text files, and used template() to fetch the value and pass to ssh_authorized_key’s key attribute. The problem with this is that my text files contains a trailing newline[1], and this newline was copied verbatim into the resulting file, so it became
ssh-rsa AAAAB3NzaC1y…….ojH2ZMvF+Efw== kjetilho@puppet
That is, it was split across two lines. On the next run, ssh_authorized_key aborts since the file contains a syntax error…[2]
In any case, Puppet should never generate files it can’t handle, so there are two options IMHO:
1) strip whitespace from key before writing it to file. drop the resource processing if it’s not valid base64. 2) drop the resource processing if it’s not valid base64.
I think my usecase of putting the keys in individual files is common enough that whitespace trimming should be done. It would also allow splitting inline values into multi-line strings.
Workaround: use regsubst() to remove the newline from the templated value.
[1] I really don’t like text files with no terminating newline, it makes diff slightly unhappy etc. [2] The parser is very fickle in general, it bombs on empty lines, too. Please fix that when you’re at it, not worth a separate issue I think :)
History
Updated by James Turnbull almost 3 years ago
- Category set to ssh
- Status changed from Unreviewed to Needs Decision
- Assignee set to Francois Deppierraz
Updated by Kjetil Torgrim Homme over 2 years ago
Two other cases which should be handled better:
- If the key (erroneously) contains extra text in addition to the key itself, e.g, “ssh-rsa AAAA…”, it will not be flagged, and “ssh-rsa ssh-rsa AAAA…” will be produced.
- If the key contains trailing whitespace (e.g., “AAAA…Efw===
”), it will not match the added line on the next run, and another line (on the form “ssh-rsa AAAA…Efw=== user@host”) will be appended on every Puppet run.
Updated by James Turnbull about 1 year ago
- Assignee changed from Francois Deppierraz to Nigel Kersten
Updated by Nigel Kersten 9 months ago
- Status changed from Needs Decision to Accepted
- Target version set to 2.7.x
Updated by Nigel Kersten 9 months ago
- Assignee deleted (
Nigel Kersten)