"authorized_key" re-orders the keys and comments in the pre-existing authorized_keys file

[gerhard-tinned]

ISSUE TYPE

• Bug Report

COMPONENT NAME

system/authorized_key

ANSIBLE VERSION

ansible 2.1.1.0

CONFIGURATION

OS / ENVIRONMENT

Managing from: LinuxMint
Managing: CentOS 6

SUMMARY

authorized_key is re-ordering the lines in a pre-existing authorized_keys file. This causes comments and the related lines to be re-ordered.

STEPS TO REPRODUCE

The managed host (B) should have a authorized_keys file containing multiple keys and comments. Example could look like this:

# The following is allice's key
ssh-rsa <key content-removed> ssh-key-comment-allice
# The following is bob's key
ssh-rsa <key content-removed> ssh-key-comment-bob
# The following is eve's key
ssh-rsa <key content-removed> ssh-key-comment-eve

After adding a key from another host (A) to the host (B) using the "authorized_key" task, below the pre-existing authorized_keys file as shown above is completely reordered.

---
- name: Generate ssh key on host (A)
  user: name=root generate_ssh_key=yes ssh_key_bits=4096 ssh_key_file=.ssh/id_rsa ssh_key_type=rsa

- name: Download generated ssh key from host (A)
  fetch: src=/root/.ssh/id_rsa.pub dest=/tmp/ansible/{{ ansible_hostname }}_id_rsa.pub 
         flat=yes validate_checksum=yes

- name: Upload/install the ssh-key from host (A) to host (B)
  authorized_key: user=root state=present 
      key="{{ lookup('file', '/tmp/ansible/{{ ansible_hostname }}_id_rsa.pub') }}"
  delegate_to: "{{ host_B }}"

EXPECTED RESULTS

# The following is allice's key
ssh-rsa <key content-removed> ssh-key-comment-allice
# The following is bob's key
ssh-rsa <key content-removed> ssh-key-comment-bob
# The following is eve's key
ssh-rsa <key content-removed> ssh-key-comment-eve
ssh-rsa <key content-removed> ssh-key-comment-joe

As shown in the example, it would be expected to see the added key (in the example "joe") at the end of the file keeping the pre-existing lines unchanged.

ACTUAL RESULTS

The result of the reordering might look like this containing the added key for "joe". The exact reason and ordering is not known at this point as of such the following example is just an example.

# The following is allice's key
ssh-rsa <key content-removed> ssh-key-comment-eve
# The following is eve's key
ssh-rsa <key content-removed> ssh-key-comment-joe
# The following is bob's key
ssh-rsa <key content-removed> ssh-key-comment-allice
ssh-rsa <key content-removed> ssh-key-comment-bob

[ansibot]

@ansible ping, this issue is waiting for your response.
click here for bot help

[gerhard-tinned]

bot_broke

What Information is missing? I provided all I know and also all the fields required according to the bot help.

[jctanner]

The bot would mark the issue needs info if it were waiting on you. In this case the ball is in ansible's court and the bot is pinging the whole org to respond

Sent from my iPhone

On Sep 13, 2016, at 7:15 AM, Gerhard notifications@github.com wrote:

bot_broke

What Information is missing? I provided all I know and also all the fields required according to the bot help.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

[gerhard-tinned]

Is this the wrong place for this ticket? Is this a dead project? What is the expected time until someone is at least responding? Other tickets wait since more the a month....

[ansibot]

@ansible, ping. This issue is still waiting on your response.
click here for bot help

[ansibot]

@ansible, ping. This issue is still waiting on your response.
click here for bot help

[gerhard-tinned]

I am waiting too !!!

[abadger]

As a workaround you should be able to use lineinfile instead of authorized_keys... The present authorized_keys code treats the file something like a database of records and so it doesn't preserve order. I'll take a look to see if there's an easy way to enhance it or not.

[alikins]

As shown in the example, it would be expected to see the added key (in the example "joe") at the end of the file keeping the pre-existing lines unchanged.

In the current pr (#5339), it does that afaict.

However, it ignores comments in the 'key' argument passed to the module. Since the existing module can get a newline separated string with multiple key lines in it, the module just ignores comments lines in the new key info. That seems reasonable, but I am not sure what expectations are.

ie,
existing

# I like candy
ssh-rsa somekeydata somekeyalias
# It is a very pleasant temperature outside today.
ssh-rsa otherkeydata otherkeyalias

and new key

# I don't like candy
ssh-rsa otherkeydata otherkeyalias
# It is cold.
ssh-rsa somekeydata somekeyalias

# The end of file is nigh.

I have no idea what the resulting file should look like, aside from having the two keys in the new ordering in it.

So the module just ignores the incoming comments. I am okay with that.
(Need to add a test to verify).

[gerhard-tinned]

OK, I dont really get it. Is it fixed with this commit?

Can you tell me in which version or maybe even when it will be available?

[alikins]

It's merged to devel/ branch (the future 2.3) currently. It is not currently backported to stable-2.2/ (the future 2.2 release).

Is the buggy reordering in 2.1 breaking things? If it is generating invalid authorized_keys files?

[gerhard-tinned]

It is not technically generating invalid files. Logically it is creating invalid files as the comments do not appear where they should. As the comments are not technically used for anything from ssh daemon, they are, strictly technically speaking, working.

The fact that comments stay in exactly the line they where before but the keys are reordered, causes keys and comments not to match up anymore. This causes chaos which can only manually be solved - depending on the amount of keys - with a lot of manual work.