ssh_authorized_key in 2.7.1 and up
Martijn Grendelman
I am currently testing my catalog, that runs fine with 2.6.3, with Puppet
2.7.4. Now I am running into a problem, and I wonder why this was 'fixed'
in Puppet the way it was.
Please consider http://projects.puppetlabs.com/issues/7888
In Puppet 2.7.4, there is code [1] that prevents ssh_authorized_key
resources to contain whitespace in their names. This is a problem, because
I actually have authorized keys with whitespaces in the comments, and
these have been added through Puppet without problems.
Now, I could just decide to change the name of the keys, but the real
problem is, that I cannot use Puppet 2.7.4 to /remove/ the old key names,
due to the 'fix' above. That is rather inconvenient.
Besides, is there any REAL reason why a key comment (and the resource name
with it) can't contain any whitespace? I know that one should be careful
how to specify the resource to prevent it being added repeatedly on every
catalog run, but apart from that? I have never had any problems with it.
If whitespace is permitted from OpenSSH's point of view, shouldn't Puppet
allow it too, and fix problems like this the right way? Or am I missing
something?
Best regards,
Martijn Grendelman
Jonathan Stanton
>
> Hi,
>
> I am currently testing my catalog, that runs fine with 2.6.3, with Puppet
> 2.7.4. Now I am running into a problem, and I wonder why this was 'fixed'
> in Puppet the way it was.
>
> Please consider http://projects.puppetlabs.com/issues/7888
>
> In Puppet 2.7.4, there is code [1] that prevents ssh_authorized_key
> resources to contain whitespace in their names. This is a problem, because
> I actually have authorized keys with whitespaces in the comments, and
> these have been added through Puppet without problems.
>
I also have numerous keys with whitespace in the comments and given that this is valid for SSH, I would agree it should work with Puppet.
> Besides, is there any REAL reason why a key comment (and the resource name
> with it) can't contain any whitespace? I know that one should be careful
> how to specify the resource to prevent it being added repeatedly on every
> catalog run, but apart from that? I have never had any problems with it.
>
The fix for Issue 7888 doesn't require that the 'name' field not have whitespace, only that the 'key' field not have whitespace, so fixing that bug and allowing whitespace in comments seem compatible.
I would suggest opening a bug report that the fix to 7888 was overzealous and they should revert the first part of that patch to allow whitespace in the name field.
> If whitespace is permitted from OpenSSH's point of view, shouldn't Puppet
> allow it too, and fix problems like this the right way? Or am I missing
> something?
>
+1.
Cheers,
Jonathan
-------------------------------------------------------------------------------
Jonathan Stanton jona...@spreadconcepts.com
Spread Group Messaging www.spread.org
Spread Concepts LLC www.spreadconcepts.com
-------------------------------------------------------------------------------
Martijn Grendelman
> On Sep 29, 2011, at 7:35 AM, Martijn Grendelman wrote:
>>
>> Hi,
>>
>> I am currently testing my catalog, that runs fine with 2.6.3, with Puppet
>> 2.7.4. Now I am running into a problem, and I wonder why this was 'fixed'
>> in Puppet the way it was.
>>
>> Please consider http://projects.puppetlabs.com/issues/7888
>>
>> In Puppet 2.7.4, there is code [1] that prevents ssh_authorized_key
>> resources to contain whitespace in their names. This is a problem, because
>> I actually have authorized keys with whitespaces in the comments, and
>> these have been added through Puppet without problems.
>
> I also have numerous keys with whitespace in the comments and given
> that this is valid for SSH, I would agree it should work with Puppet.
>
>> Besides, is there any REAL reason why a key comment (and the resource name
>> with it) can't contain any whitespace? I know that one should be careful
>> how to specify the resource to prevent it being added repeatedly on every
>> catalog run, but apart from that? I have never had any problems with it.
>>
>
> The fix for Issue 7888 doesn't require that the 'name' field not have
> whitespace, only that the 'key' field not have whitespace, so fixing
> that bug and allowing whitespace in comments seem compatible.
>
> I would suggest opening a bug report that the fix to 7888 was
> overzealous and they should revert the first part of that patch to
> allow whitespace in the name field.
http://projects.puppetlabs.com/issues/9796
>
>> If whitespace is permitted from OpenSSH's point of view, shouldn't Puppet
>> allow it too, and fix problems like this the right way? Or am I missing
>> something?
>>
>
> +1.
Best regards,
Martijn Grendelman
--
iphion B.V.
TU/e Innovation Lab 1.15
Horsten 1 - 5612 AX Eindhoven - The Netherlands
Tel. +31 40 747 0117
CoC-number: 17194147
Stefan Schulte
> Hi,
>
> I am currently testing my catalog, that runs fine with 2.6.3, with Puppet
> 2.7.4. Now I am running into a problem, and I wonder why this was 'fixed'
> in Puppet the way it was.
>
> Please consider http://projects.puppetlabs.com/issues/7888
>
> In Puppet 2.7.4, there is code [1] that prevents ssh_authorized_key
> resources to contain whitespace in their names. This is a problem, because
> I actually have authorized keys with whitespaces in the comments, and
> these have been added through Puppet without problems.
>
Actually I wasn't aware that OpenSSH does support the delimiter
character in the comment field. But as it turns out also the code that
parses the authorized_key file inside puppet can handle these names.
So you're right, the type should not reject these.
Commented on http://projects.puppetlabs.com/issues/9796
-Stefan