authorized_keys module is deleting too many line when using state: absent
41 views
Skip to first unread message
Mario Garcia
May 28, 2020, 10:07:16 AM5/28/20
to Ansible Project
Hello
I need to clean up a bit the authorized keys files on our infra
i created a simple palybook that goes and removed one key from the remote authorized_keys files but when I run it in check/diff mode i see it tried to remove far too many lines
this is the playbook
---
- hosts: all
tasks;
- name: remove public keys
authorized_key:
user: toto
state: absent
key: "{{ lookup('file', '/path/to/totpubkey.pub') }}"I see absolutely no reason why in some hosts there are several public keys that are being removed for the authorized_keys files and since the module does not have a backup option is a bit of a problem.
how could I use perhaps lineinfile to do the same? or how detect what is causing the module to delete several lines instead on just the one provided?
thank you.
Dick Visser
May 28, 2020, 10:35:02 AM5/28/20
to ansible...@googlegroups.com
Hard to tell what is going on without more information.
* What do the keys that are being removed look like?
* What does /path/to/totpubkey.pub look like?
* What do the authorized_keys file(s) look like?
Could it be that the same pubkey is listed in your authorized_keys
several times but with different comments?
Dick
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/35db046d-01df-4876-bc69-62e42a83d91d%40googlegroups.com.
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
* What do the keys that are being removed look like?
* What does /path/to/totpubkey.pub look like?
* What do the authorized_keys file(s) look like?
Could it be that the same pubkey is listed in your authorized_keys
several times but with different comments?
Dick
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/35db046d-01df-4876-bc69-62e42a83d91d%40googlegroups.com.
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
Mario Garcia
May 28, 2020, 11:02:40 AM5/28/20
to Ansible Project
Hello
no the key are differents but i think that ansible modules only match the beginning of the line but not the whole file
i am not going to list all the public keys here but:
the public key that has to be removed and the ones that are wrongly being removed have the 'same' beginning::
ssh-rsa AAAAB3NzaC1yc2EAAAA...
after this both lines in authorized keys differ
so does the authorized_key module only looks for the beginning of the line?
the /path/to/totpubkey.pub is a normal regular ssh-rsa public key file are standard public file with the publick key and authorized key files are one key per line.. nothing fancy
Dick Visser
May 28, 2020, 12:02:03 PM5/28/20
to ansible...@googlegroups.com
The fact that multiple keys begin with AAAAB3NzaC1yc2EAAAA is because
they share the same header - this is OK.
The module takes the entire key string into account.
Can you maybe reproduce this in a way that we can look at it?
Otherwise it will be impossible to tell what is wrong (other that
guessing what it might be).
Dick
they share the same header - this is OK.
The module takes the entire key string into account.
Can you maybe reproduce this in a way that we can look at it?
Otherwise it will be impossible to tell what is wrong (other that
guessing what it might be).
Dick
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ab796701-f5dd-4619-871b-0dc5c0bb8b24%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
Dick Visser
May 28, 2020, 12:25:19 PM5/28/20
to ansible...@googlegroups.com
You could try and anonymize the usernames and comments and if that has the same problems, post that file. Then you'd be only posting public keys but no user names etc?
Sent from a mobile device - please excuse the brevity, spelling and punctuation.
Mario Garcia
May 28, 2020, 1:31:09 PM5/28/20
to Ansible Project
I am working on it to provide you an use case.. but.
is by any chance the authorizing_file modules sanitizing aka removing duplicates entries on the remote authorized_key file even if it was not in the key string passed to be removed
in that case there is probably no issue i must do some tests :)
i keep you posted.
regards
M
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.
Dick Visser
May 28, 2020, 3:40:35 PM5/28/20
to ansible...@googlegroups.com
On Thu, 28 May 2020 at 19:31, 'Mario Garcia' via Ansible Project
<ansible...@googlegroups.com> wrote:
>
> I am working on it to provide you an use case.. but.
>
> is by any chance the authorizing_file modules sanitizing aka removing duplicates entries on the remote authorized_key file even if it was not in the key string passed to be removed
No, there is no such sanitizing thing.
<ansible...@googlegroups.com> wrote:
>
> I am working on it to provide you an use case.. but.
>
> is by any chance the authorizing_file modules sanitizing aka removing duplicates entries on the remote authorized_key file even if it was not in the key string passed to be removed
There is the 'exclusive' option but that would remove everything else
but your key. And you're not using that.
https://docs.ansible.com/ansible/latest/modules/authorized_key_module.html#parameter-exclusive
Felix Fontein
May 28, 2020, 3:52:08 PM5/28/20
to Dick Visser, ansible...@googlegroups.com
Hi all,
> On Thu, 28 May 2020 at 19:31, 'Mario Garcia' via Ansible Project
> <ansible...@googlegroups.com> wrote:
> >
> > I am working on it to provide you an use case.. but.
> >
> > is by any chance the authorizing_file modules sanitizing aka
> > removing duplicates entries on the remote authorized_key file even
> > if it was not in the key string passed to be removed
>
> No, there is no such sanitizing thing.
I just looked at the code
(https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py).
It does indeed remove duplicates. It puts all lines of authorized_keys
into a dictionary, indexed by the actual key:
https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py#L450-L461
The value in the dictionary contains more information so that the file
can be rebuilt - except that duplicate keys won't survive.
It's probably a good idea to mention that in the module docs. If
someone wants to create a PR for that (it's a good start to trying PRs
for collections!), feel free!
Cheers,
Felix
> On Thu, 28 May 2020 at 19:31, 'Mario Garcia' via Ansible Project
> <ansible...@googlegroups.com> wrote:
> >
> > I am working on it to provide you an use case.. but.
> >
> > is by any chance the authorizing_file modules sanitizing aka
> > removing duplicates entries on the remote authorized_key file even
> > if it was not in the key string passed to be removed
>
> No, there is no such sanitizing thing.
(https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py).
It does indeed remove duplicates. It puts all lines of authorized_keys
into a dictionary, indexed by the actual key:
https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py#L450-L461
The value in the dictionary contains more information so that the file
can be rebuilt - except that duplicate keys won't survive.
It's probably a good idea to mention that in the module docs. If
someone wants to create a PR for that (it's a good start to trying PRs
for collections!), feel free!
Cheers,
Felix
Dan Idar
May 28, 2020, 7:56:48 PM5/28/20
to Ansible Project
I ran some tests
created on vagrant some ssh files and created a authorized_keys with duplicates and tried to add/remove a line that is not a duplicate
the result is that if there is a line to be added/removed from the authorized_keys files the duplicates are also removed if there are no lines found to be removed then nothing happens
illustration:
authorized keys files notice the publicates in line 1,4,5 line 4 has a different comment line 5 has no comment
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgAOaG6REJxdsfOQmyLhpQ8Q+j0qNyiUuqlYLk6/j5M vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMc8GxolEFe89BjWEnT3fHfqnL5eVMt8aw2ZJ54Iu6dX vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 ansible
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4
this is a playbook to add a new line.. to remove is the same principle ;
---
- hosts: localhost
gather_facts: false
vars:
keyfile: "{{ lookup('file', 'test_eckey4.pub') }}"
tasks:
- name: print keyfile contents
debug:
msg: "{{ keyfile }}"
- name: remove public key
authorized_key:
path: ./test_authorized_keys
user: vagrant
state: present
key: "{{ keyfile }}"
the output ;
LAY [localhost] *************************************************************************************************************************************************************************
TASK [print keyfile contents] ************************************************************************************************************************************************************
ok: [localhost] => {
"msg": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDn1SXhFU1uZbZKUGRDWHoHovewh5BTIoAqcK/uMf8F0 vag...@localhost.localdomain"
}
TASK [remove public key] *****************************************************************************************************************************************************************
--- before: ./test_authorized_keys
+++ after: ./test_authorized_keys
@@ -1,5 +1,4 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgAOaG6REJxdsfOQmyLhpQ8Q+j0qNyiUuqlYLk6/j5M vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMc8GxolEFe89BjWEnT3fHfqnL5eVMt8aw2ZJ54Iu6dX vagrant@localhost.localdomain
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 ansible
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDn1SXhFU1uZbZKUGRDWHoHovewh5BTIoAqcK/uMf8F0 vagrant@localhost.localdomain
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4
changed: [localhost]
PLAY RECAP *******************************************************************************************************************************************************************************
localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
notice how the lines 1,4,5 are removed.. the requested ssh key is added the llast line form the dupes is readed at the botton of the file
this is a neat feature but the fact that there is no documentation at all causes concern if i have to remove a key in a 25 line authrozed key and see that 10 lines are gone. while I only requested one is to be honest baffling I think that what caused concern with the OP rsa keys are not as easy to read than
ed25519 HTH.
Reply all
Reply to author
Forward
0 new messages