Fixes #7254: Ssh key distribution cannot distibute several keys on on…

…e user

techniques/systemSettings/remoteAccess/sshKeyDistribution/2.0/sshKeyDistribution.st

@@ -138,10 +138,12 @@ bundle edit_line append_or_replace_ssh_key(keyspec, index)
         comment     => "An escaped version of the keyspec - \Q..\E do not escape everything",
         string      => escape("${keyspec}");
     key_parsed::
-      "ckey" string => canonify("${keybits[3]}");
-      "ekey" string => escape("${keybits[3]}");
+      "key" string => escape("${keybits[3]}");
 
   classes:
+    "key_defined"
+      expression => "key_parsed";
+
     "key_parsed" 
       # If the key hash happens to exceed 1000 chars $keybits[3] is going to be undefined because 
       # of some weird cfengine bugs, probably this one: https://cfengine.com/dev/issues/1258
@@ -150,7 +152,7 @@ bundle edit_line append_or_replace_ssh_key(keyspec, index)
       # The hashes of that length apparently correspond to DSS 2048 bits keys, generated i.e. on rhel 4,
       # with openssh v3.9p1-redhat. I believe that since openssh v4 DSS bitlengh is limited to 1024,
       # as required by FIPS.
-      expression    => regextract("(.*\s+)?(ssh-rsa|ssh-dss)\s+(\S{1,1000})\S*(\s+.+)?\Z", "${keyspec}", "keybits" );
+      expression    => regextract("(.*\s+)?(ssh-rsa|ssh-dss)\s+(\S{1,1000})\S*(\s.*)?$", "${keyspec}", "keybits" );
 
   insert_lines:
     "${keyspec}"
@@ -160,9 +162,9 @@ bundle edit_line append_or_replace_ssh_key(keyspec, index)
       ifvarclass    => canonify("ssh_key_distribution_replace_step_attempted_${index}");
 
   replace_patterns:
-    "^(?!${eline}$)(.*${ekey}.*)$"
+    "^(?!${eline}$)(.*${key}.*)$"
       comment       => "Replace a key here",
       replace_with  => value("${keyspec}"),
-      ifvarclass    => "key_parsed",
+      ifvarclass    => "key_defined",
       classes       => always("ssh_key_distribution_replace_step_attempted_${index}");
 }

techniques/systemSettings/remoteAccess/sshKeyDistribution/3.0/sshKeyDistribution.st

@@ -138,10 +138,12 @@ bundle edit_line append_or_replace_ssh_key(keyspec, index)
         comment     => "An escaped version of the keyspec - \Q..\E do not escape everything",
         string      => escape("${keyspec}");
     key_parsed::
-      "ckey" string => canonify("${keybits[3]}");
-      "ekey" string => escape("${keybits[3]}");
+      "key" string => escape("${keybits[3]}");
 
   classes:
+    "key_defined"
+      expression => "key_parsed";
+
     "key_parsed" 
       # If the key hash happens to exceed 1000 chars $keybits[3] is going to be undefined because 
       # of some weird cfengine bugs, probably this one: https://cfengine.com/dev/issues/1258
@@ -150,7 +152,7 @@ bundle edit_line append_or_replace_ssh_key(keyspec, index)
       # The hashes of that length apparently correspond to DSS 2048 bits keys, generated i.e. on rhel 4,
       # with openssh v3.9p1-redhat. I believe that since openssh v4 DSS bitlengh is limited to 1024,
       # as required by FIPS.
-      expression    => regextract("(.*\s+)?(ssh-rsa|ssh-dss)\s+(\S{1,1000})\S*(\s+.+)?\Z", "${keyspec}", "keybits" );
+      expression    => regextract("(.*\s+)?(ssh-rsa|ssh-dss)\s+(\S{1,1000})\S*(\s.*)?$", "${keyspec}", "keybits" );
 
   insert_lines:
     "${keyspec}"
@@ -160,9 +162,9 @@ bundle edit_line append_or_replace_ssh_key(keyspec, index)
       ifvarclass    => canonify("ssh_key_distribution_replace_step_attempted_${index}");
 
   replace_patterns:
-    "^(?!${eline}$)(.*${ekey}.*)$"
+    "^(?!${eline}$)(.*${key}.*)$"
       comment       => "Replace a key here",
       replace_with  => value("${keyspec}"),
-      ifvarclass    => "key_parsed",
+      ifvarclass    => "key_defined",
       classes       => always("ssh_key_distribution_replace_step_attempted_${index}");
 }