After a little bit of digging it seems that the error is due to rights of '/home/user/.ssh'.
In fact puppet tries to create those with the following rights: drwxr-xr-x 2 test test 4096 Mar 14 15:51 /home/test drwx------ 2 test root 4096 Mar 14 15:51 /home/test/.ssh When I change the rights to: drwxr-x--- 2 test root 4096 Mar 14 15:51 /home/test/.ssh puppet completes is job, I found a similar bug: http://projects.puppetlabs.com/issues/5395 but it seems to be closed. Any thoughts? Regards, JM On Wed, Mar 14, 2012 at 3:17 PM, Antidot SAS <antidot...@gmail.com> wrote: > Hi everyone, > > > I am using puppet 2.7.9 on debian linux setup with gem. > I am trying to setup the define as followed: > > ---------------------- > define user::environment::create_authorized_key ( $dst_user = undef, > $local_file = "/var/lib/keys/${name}", $home = undef, $options = undef ) { > # --[ default parameter given ]-- > $src_user_real = "${name}" > $key_src_file = "${local_file}/key.pub" > $key_src_content = file($key_src_file, "/dev/null") > > File { > owner => "${dst_user_real}", > group => "${dst_user_real}", > mode => '0440', > } > > if ! $dst_user { > $dst_user_real = "${src_user_real}" > } > > if $home { > $key_tgt_file = "${home}/.ssh/authorized_keys" > } else { > $key_tgt_file = undef > } > if "${dst_user_real}" == 'root' { > case $home { > undef : { $authorized_keys = '/root/.ssh/authorized_keys' } > default : { $authorized_keys = "${key_tgt_file}" } > } > } else { > case $home { > undef : { $authorized_keys = > "/home/${dst_user_real}/.ssh/authorized_keys" } > default : { $authorized_keys = "${key_tgt_file}" } > } > } > > if ! $key_src_content { > notify { "Public key file $key_src_file for key $title not found > on keymaster; skipping ensure => present": } > } else { > if $key_src_content !~ /^(ssh-...) ([^ ]*)/ { > err("Can't parse public key file $key_src_file") > notify { "Can't parse public key file $key_src_file for key > $title on the keymaster: skipping ensure => $ensure": } > } else { > $keytype = $1 > $modulus = $2 > ssh_authorized_key { "SSH keys: ${src_user_real} --> > ${dst_user_real}": > ensure => present, > user => "${dst_user_real}", > target => $key_tgt_file, > type => "${keytype}", > key => "${modulus}", > name => "\"src:${src_user_real} --> > dst:${dst_user_real}\"", > options => $options, > notify => [ Exec["Setting \$HOME rights for > ${dst_user_real}"], ], > } > > exec { "Forcing ${authorized_keys} rights" : > path => '/bin:/usr/bin:/usr/local/bin', > user => 'root', > logoutput => true, > command => "[ -f \"${authorized_keys}\" ] && chown > ${dst_user_real}:${dst_user_real} \"${authorized_keys}\"", > refreshonly => true, > } > > Exec["Forcing ${authorized_keys} rights"] -> > Ssh_authorized_key["SSH keys: ${src_user_real} --> ${dst_user_real}"] > } > } > } > > ------------------------------ > When I run this define on my nodes I have to following behavior for > several users: > notice: > /Stage[main]/Base_common_user/User::Ssh::Key[apt-dater]/Ssh_auth_key_server[apt-dater]/Ssh_authorized_key[apt-dater]/ensure: > created > info: FileBucket got a duplicate file {md5}8db5d5c65e547d3971d93dfa0ffcea32 > err: > /Stage[main]/Base_common_user/User::Ssh::Key[apt-dater]/Ssh_auth_key_server[apt-dater]/Ssh_authorized_key[apt-dater]: > Could not evaluate: Puppet::Util::FileType::FileTypeFlat could not write > /home/test/.ssh/authorized_keys: Permission denied - > /home/test/.ssh/authorized_keys > > > Puppet is trying to put the authorized_keys under the wrong ${HOME}: > root@linux-install:/# getent passwd apt-dater > apt-dater:x:9000:9000:Outil de dist-upgrade:/home/apt-dater:/bin/bash > root@linux-install:/# ls -al /home/apt-dater/.ssh/ > total 12 > drwxr-x--- 2 apt-dater apt-dater 4096 Mar 14 14:25 . > drwxr-xr-x 3 apt-dater apt-dater 4096 Mar 14 14:25 .. > -rw-r----- 1 apt-dater apt-dater 1380 Mar 14 14:36 authorized_keys > > > Any idea what could be the problem? > > > Regards, > JM > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
