| Puppet Version: any
Puppet Server Version: unrelated
OS Name/Version: any Linux system using SSH In a secured environment ssh keys may not be in users home, but must be located in root context (e.g. /etc/ssh/keys/<user key file> Besides this it is forbidden for a user to add a new key or remove an old key. Therefor the key files must be owned by root user using 0644 as access mode. When using purge_ssh_keys => ["/etc/ssh/keys/${user}"] the removal of ssh keys fails, as Puppet wants to delete the key using user privileges. Reason is a hard-coded setting in puppet type:
# lib/puppet/type/user.rb line 785 and following: |
def find_unmanaged_keys |
self[:purge_ssh_keys]. |
select { |f| File.readable?(f) }. |
map { |f| unknown_keys_in_file(f) }. |
flatten.each do |res| |
res[:ensure] = :absent |
res[:user] = self[:name] # <---------- !!!!! |
@parameters.each do |name, param| |
res[name] = param.value if param.metaparam? |
end |
end |
end
|
Desired Behavior: Any unmanaged key gets removed. Actual Behavior: Puppet throws an error, that it can not change the file. |
