FAQ
When I apply a sshkey resource I do obtain the /etc/ssh/ssh_known_hosts
file, but it is not world reable.

According to the ssh man page,

/etc/ssh/ssh_known_hosts
Systemwide list of known host keys. This file should be
prepared by the system administrator to contain the public host keys of all
machines in the organization. It should be world-readable. See sshd(8)
for further details of the format of this file.
Is there any specific reason why when Puppet generates it it is only user
(root) Readable and Writable ? Security maybe ?

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/N-gOMHACQlQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Stefan Schulte at Dec 2, 2012 at 11:28 pm

    On Sat, Dec 01, 2012 at 09:58:43AM -0800, Yanis Guenane wrote:
    When I apply a sshkey resource I do obtain the /etc/ssh/ssh_known_hosts
    file, but it is not world reable.

    According to the ssh man page,

    /etc/ssh/ssh_known_hosts
    Systemwide list of known host keys. This file should be
    prepared by the system administrator to contain the public host keys of all
    machines in the organization. It should be world-readable. See sshd(8)
    for further details of the format of this file.
    Is there any specific reason why when Puppet generates it it is only user
    (root) Readable and Writable ? Security maybe ?
    No it is a bug http://projects.puppetlabs.com/issues/2014 that happens
    when the file was not present before and the sshkey provider needs to
    create it first.

    You can use a file resource to actually set the correct permissions,
    like

    file { '/etc/ssh/ssh_known_hosts':
    ensure => file,
    owner => 'root',
    group => 'root',
    mode => '0644',
    }

    Now the owner/group/mode are controlled with your file resource while
    the actual content is controlled by your sshkey resources.

    -Stefan

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Yanis Guenane at Dec 3, 2012 at 6:57 am
    Thank you for your answer and the link to the current issue,

    The solution you offered is what I am currently doing,

    Thanks again,
    On Monday, December 3, 2012 12:31:45 AM UTC+1, Stefan Schulte wrote:
    On Sat, Dec 01, 2012 at 09:58:43AM -0800, Yanis Guenane wrote:
    When I apply a sshkey resource I do obtain the /etc/ssh/ssh_known_hosts
    file, but it is not world reable.

    According to the ssh man page,

    /etc/ssh/ssh_known_hosts
    Systemwide list of known host keys. This file should be
    prepared by the system administrator to contain the public host keys
    of all
    machines in the organization. It should be world-readable. See
    sshd(8)
    for further details of the format of this file.
    Is there any specific reason why when Puppet generates it it is only user
    (root) Readable and Writable ? Security maybe ?
    No it is a bug http://projects.puppetlabs.com/issues/2014 that happens
    when the file was not present before and the sshkey provider needs to
    create it first.

    You can use a file resource to actually set the correct permissions,
    like

    file { '/etc/ssh/ssh_known_hosts':
    ensure => file,
    owner => 'root',
    group => 'root',
    mode => '0644',
    }

    Now the owner/group/mode are controlled with your file resource while
    the actual content is controlled by your sshkey resources.

    -Stefan
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/O87Np-m-1lkJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedDec 1, '12 at 5:58p
activeDec 3, '12 at 6:57a
posts3
users2
websitepuppetlabs.com

2 users in discussion

Yanis Guenane: 2 posts Stefan Schulte: 1 post

People

Translate

site design / logo © 2022 Grokbase