Jira (PUP-11072) purge_ssh_keys does not work if the key file is not owned by the user

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-11072 purge_ssh_keys does not work if the key file is not owned by the user Change By: Mihai Buzgau Labels: community Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Martin Alfke (Jira)]

Martin Alfke updated an issue

Puppet / PUP-11072 purge_ssh_keys does not work if the key file is not owned by the user

Change By: Martin Alfke Summary:

purge_ssh_keys does not work if the key file is not owned by the user

Add Comment

[Martin Alfke (Jira)]

Martin Alfke updated an issue

Puppet / PUP-11072 purge_ssh_keys does not work if the key file is not owned by the user Change By: Martin Alfke

*Puppet Version:* any *Puppet Server Version:* unrelated *OS Name/Version:* any Linux system using SSH In a secured environment ssh keys may not be in users home, but must be located in root context (e.g. /etc/ssh/keys/<user key file> Besides this it is forbidden for a user to add a new key or remove an old a key. Therefor the key files must be owned by root user using 0644 as access mode. When using purge_ssh_keys => ["/etc/ssh/keys/${user}"] within the user resource, the removal of ssh keys fails, as Puppet wants to delete the key using user privileges. Reason is a hard-coded setting in puppet type: {code:java} # lib/puppet/type/user.rb line 785 and following:     def find_unmanaged_keys       self[:purge_ssh_keys].         select { |f| File.readable?(f) }.         map { |f| unknown_keys_in_file(f) }.         flatten.each do |res|           res[:ensure] = :absent           res[:user] = self[:name]          # <---------- !!!!!           @parameters.each do |name, param|             res[name] = param.value if param.metaparam?           end         end     end {code} *Desired Behavior:* Any unmanaged key gets removed. *Actual Behavior:* Puppet throws an error, that it can not change the file.

Add Comment

[Martin Alfke (Jira)]

Martin Alfke commented on PUP-11072

Re: purge_ssh_keys does not work if the key file is not owned by the user The hardening requirements comes from CSC 14: 14.4 and 14.6 https://www.venafi.com/sites/default/files/2016-10/Venafi_Securing_SSH_CSCs_final.pdf Prevent non-superusers from installing new authorized keys for user accounts. Restrict access on identity keys to interactive use, automated process or named admin staff responsible for managing keys. Allow only authorized administrators to modify authorized keys.

Add Comment

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-11072

purge_ssh_keys does not work if the key file is not owned by the user

Change By: Mihai Buzgau Sprint: Triaged tickets

Add Comment

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-11072 purge_ssh_keys does not work if the key file is not owned by the user

Change By: Mihai Buzgau Team: Night's Watch

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-11072 purge_ssh_keys does not work if the key file is not owned by the user

Change By: Ciprian Badescu Story Points: 3

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-11072 purge_ssh_keys does not work if the key file is not owned by the user

Change By: Ciprian Badescu Sprint: Triaged tickets NW-2021-06-16

Add Comment

[Martin Alfke (Jira)]

Martin Alfke commented on PUP-11072

Re: purge_ssh_keys does not work if the key file is not owned by the user one possible solution: use the file owner: diff --git a/lib/puppet/type/user.rb b/lib/puppet/type/user.rb index c61432acfe..ce657d097b 100644 --- a/lib/puppet/type/user.rb +++ b/lib/puppet/type/user.rb @@ -788,7 +788,7 @@ module Puppet

map { |f| unknown_keys_in_file(f) }. flatten.each do |res| res[:ensure] = :absent

- res[:user] = self[:name] + res[:user] = File.stat(f).uid

@parameters.each do |name, param| res[name] = param.value if param.metaparam? end

maybe with an additional parameter?

Add Comment

[Gabriel Nagy (Jira)]

Gabriel Nagy commented on PUP-11072

Re: purge_ssh_keys does not work if the key file is not owned by the user

Hi Martin Alfke, A possible workaround would be to purge the keys through the root user (or another superuser), such as: user { 'root': purge_ssh_keys => ['/etc/ssh/keys/testuser'], } If we add this functionality it would good to also have something similar in the sskeys_core module. Currently the file owner is controlled by the user parameter, and the file path maps to target, so a sample authorized key would be: ssh_authorized_key { 'testuser@ubuntu': ensure => present, user => 'root', target => '/etc/ssh/keys/testuser', type => 'ssh-rsa', key => 'AAAAB3NzaqXfdaQ==', } The limitation in the module would be that the file permissions are hardcoded to 600. This can be circumvented by ensuring the mode through a file resource, but it will cause corrective changes each time an authorized key changes. (authorized key resource enforces 600, file resource enforces 644). Since the functionality you request is achievable through a workaround in the user resource, I'm inclined against adding a new parameter in the user type. Josh Cooper what are your thoughts on this?

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu assigned an issue to Gabriel Nagy

Puppet / PUP-11072

purge_ssh_keys does not work if the key file is not owned by the user

Change By: Ciprian Badescu Assignee: Gabriel Nagy

Add Comment

[Martin Alfke (Jira)]

Martin Alfke commented on PUP-11072

Re: purge_ssh_keys does not work if the key file is not owned by the user Hi Gabriel Nagy , many thanks for providing a working solution. We have tested the workaround and it works as expected. We will check on how to do purging when using puppetlabs-accounts module and will do the required work in a separate ticket.

Add Comment