New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an enforce option to the ssh_auth state #13340

Open
ryan-lane opened this Issue Jun 9, 2014 · 13 comments

Comments

Projects
None yet
6 participants
@ryan-lane
Contributor

ryan-lane commented Jun 9, 2014

ssh_auth should be able to completely ensure the state of an authorized_keys file as well as adding and removing individual keys. It would be nice to have an enforce option (that defaults to false) that would fully manage an authorized_keys file.

I know it's possible to use file.managed for this, but then it's necessary to know the user's home directory, which may not be default.

@basepi

This comment has been minimized.

Member

basepi commented Jun 9, 2014

Thanks for the request, this would definitely be useful.

@basepi basepi added this to the Approved milestone Jun 9, 2014

@viq

This comment has been minimized.

Contributor

viq commented Jun 26, 2014

Ah, just what I was thinking about.

@ryan-lane

This comment has been minimized.

Contributor

ryan-lane commented Nov 4, 2014

Lack of this option makes this state relatively insecure to use. I doubt many people ensure that keys they need to remove are in a separate absent state, especially since most people loop over users from pillars. I bet lots of people are just leaving keys on systems when they think they're rotating them.

@ryan-lane

This comment has been minimized.

Contributor

ryan-lane commented Nov 4, 2014

I realize this is how basically every config management system implements this. This has always perplexed me.

@basepi

This comment has been minimized.

Member

basepi commented Nov 4, 2014

As a workaround for now, you could just use a file.managed state. You could even template the file with a Jinja for loop to populate it with all the keys out of pillar.

@ryan-lane

This comment has been minimized.

Contributor

ryan-lane commented Nov 4, 2014

Yeah, that's what I'm doing. It's just annoying that the built-in functionality for this is bad by default.

@basepi

This comment has been minimized.

Member

basepi commented Nov 4, 2014

Yep, it's on the list of things we definitely want to implement, we just haven't had time yet.

@baconz

This comment has been minimized.

Contributor

baconz commented Jul 14, 2015

bump

@hkbakke

This comment has been minimized.

hkbakke commented Mar 23, 2017

Is there any progress on this? In my opinion the lack of something like this makes ssh_auth almost useless for anything but the simplest use case.

@stale

This comment has been minimized.

stale bot commented Sep 24, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

@stale stale bot added the stale label Sep 24, 2018

@jleroy

This comment has been minimized.

Contributor

jleroy commented Sep 24, 2018

Just a bump to keep the issue open.

@stale

This comment has been minimized.

stale bot commented Sep 24, 2018

Thank you for updating this issue. It is no longer marked as stale.

@stale stale bot removed the stale label Sep 24, 2018

@basepi

This comment has been minimized.

Member

basepi commented Sep 24, 2018

@gtmanfred A ping to keep this on employee radars.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment