how to refresh ssh/authorized_keys file content ?

[eduardo]

Hi all,

How to refresh ssh/authorized_keys file content ?

I'm trying massive loading keys. I need refresh authorized_keys file
content.

I try delete file before call ssh_authorized_key :

exec { "del_${user_local}_authorized_keys":
command => "rm /home/$user_local/.ssh/
authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ; chown
$user_local:$user_local /home/$user_local/.ssh/authorized_keys",
path => '/bin:/usr/bin',
}

First run only delete file and in the second one I got desired
result.

I think is possible create content file using template but before
leave ssh_authorized_key resource type way I want to know any other
chance.


Regards,
Eduardo.

[Felix Frank]

Hi,

On 06/12/2012 07:39 PM, eduardo wrote:
> Hi all,
>
> How to refresh ssh/authorized_keys file content ?
>
> I'm trying massive loading keys. I need refresh authorized_keys file
> content.
>
> I try delete file before call ssh_authorized_key :

please don't. This is *not* how you are supposed to interact with
authorized keys.

Either use the ssh_autherized_key type *or* fiddle with the file, but
don't mix them.

> exec { "del_${user_local}_authorized_keys":
> command => "rm /home/$user_local/.ssh/
> authorized_keys ; touch /home/$user_local/.ssh/authorized_keys ; chown
> $user_local:$user_local /home/$user_local/.ssh/authorized_keys",
> path => '/bin:/usr/bin',
> }
>
> First run only delete file and in the second one I got desired
> result.
>
> I think is possible create content file using template but before
> leave ssh_authorized_key resource type way I want to know any other
> chance.

A template would work.

You can also try simply pruning all unmanaged keys, so puppet will clear
all unwanted stuff out. Take note that this will affect keys of *all*
users (I believe), so you have to manage all keys on the system in question.

resources { "ssh_authorized_key": purge => true }

HTH,
Felix

[eduardo]

Thanks you felix for answer me. I owe you another one.

The bad news I tried resources { "ssh_authorized_key": purge =>
true } but don't result.

The good one is templates are great for it.


I appreciate your help,
Bests regards,
eduardo.

[eduardo]

Having advised :
'it is highly recommended to migrate work from exec to native
Puppet types as quickly as possible.'

Is there any chance to purge keys ?

Do nothing writing resources { "ssh_authorized_key": purge => true }
in my init.pp module.

Regards,
eduardo.

[Brian Gallew]

"ensure => absent" is the standard syntax for all Puppet types.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Nan Liu]

On Fri, Jun 15, 2012 at 6:21 AM, eduardo <erod...@gmail.com> wrote:

>  Having advised :
>  'it is highly recommended to migrate work from exec to native
> Puppet types as quickly as possible.'
>
>  Is there any chance to purge keys ?
>
>  Do nothing writing resources { "ssh_authorized_key": purge => true }
> in my init.pp module.

To support purging, the puppet type need to to be able to query all
instances of the resource. In this case because ssh_authorized_keys
can write to different file locations, it does not have the ability to
detect all ssh keys that exists on the system and therefor it will not
have the ability to purge. In some cases, this is a limitation of the
provider which does not implement self.instances (for example this was
the case for a long time for mysql database type), but in this case I
don't believe it will ever support it.

An easy way to see if a resource supports purging is simply via the
puppet resource command. If puppet resource <type> can list all
instance of that resources then it supports purging, otherwise it does
not.

# for example host supports purge
$ puppet resource host
host { 'ip6-allnodes':
ensure => 'present',
ip => 'ff02::1',
target => '/etc/hosts',
}
...

# try this with ssh_authorized_key, and it returns nothing
$ puppet resource ssh_authorized_key

In this case, a file fragment pattern with puppet-concat will be
suitable for managing a specific ssh key file with support for
purging.

Thanks,

Nan

[eduardo]

Thanks you Nan, your answer is very clear about it.
I'd got template way.

Regards,
eduardo.


On 15 jun, 11:19, Nan Liu <n...@puppetlabs.com> wrote:

[Jo Rhett]

On Jun 15, 2012, at 8:19 AM, Nan Liu wrote:

To support purging, the puppet type need to to be able to query all
instances of the resource. In this case because ssh_authorized_keys
can write to different file locations, it does not have the ability to
detect all ssh keys that exists on the system and therefor it will not
have the ability to purge. In some cases, this is a limitation of the
provider which does not implement self.instances (for example this was
the case for a long time for mysql database type), but in this case I
don't believe it will ever support it.

Nan, this should be easy to do.  Yes, there is a forest of authorized key files on the host, for any given authorized_keys file you have a known list of what keys should be there.  I know for a fact it knows about the other keys in the file, since it sometimes logs very weird error messages about them if the key's comment matches another user's name.

   http://projects.puppetlabs.com/issues/14809#change-64568

Since it reads in the authorized_keys file, and knows about the other keys, it should be trivial to allow a purge=>true which removes any key not defined in the manifest.

-- 

Jo Rhett

Net Consonance : net philanthropy to improve open source and internet projects.

[David Schmitt]

There's an issue for that:

http://projects.puppetlabs.com/issues/1581



Best Regards, David