Bug #23011
open
“SSH authorized keys” system technique breaks when changed from “audit” to “enforce” mode
Description
If a directive is created in “audit” mode using the “SSH authorized keys” system technique with parameters as in attached screenshot, and after having been ran on the nodes, the directive is later on changed to “enforce” mode, then after being ran on the nodes again, their compliance displays a “bad policy mode” error as in attached screenshot.
Furthermore, if the directive is changed to “audit” mode again, it will display a spurious “The keys for user blah could not be flushed”, where the authorized_keys file do actually have the proper contents (thus should be considered compliant and shouldn't need to be flushed).
Files
| authorized_keys_directive_parameters.png (111 KB) authorized_keys_directive_parameters.png | Directive parameters | ||
| Bad_policy_mode_230705a.png (171 KB) Bad_policy_mode_230705a.png | Error : bad policy mode. | ||
| authorized_keys_could_not_be_flushed.png (128 KB) authorized_keys_could_not_be_flushed.png | “Could not be flushed” error message. | ||
| Bad_policy_mode_230706a.png (166 KB) Bad_policy_mode_230706a.png | Error on freshly added node | ||
| Bad_policy_mode_230706b.png (189 KB) Bad_policy_mode_230706b.png | Same error for directive recreated in enforce mode |
Updated by Michel BOUISSOU 10 months ago
This error also happens on a freshly added node on which the agent had not been previously ran.
See attached screenshot.
Updated by Michel BOUISSOU 10 months ago
- Related to Bug #23027: Grammar correction in error message added
Updated by Michel BOUISSOU 10 months ago
Even stranger : After having deleted the directive, made sure that the deletion propagated ot all nodes, and recreated the technique in “enforce” mode with the same parameters, still getting the same error about an incorrect policy mode for reports.
See screenshot (basically the same as previously)
Updated by Alexis Mousset 10 months ago
- Category changed from System techniques to Techniques
Updated by Michel BOUISSOU 10 months ago
Even even stranger : this appeared to solve itself after I changed another, unrelated directive (sudoers) from audit to enforce mode...
Updated by Vincent MEMBRÉ 10 months ago
- Target version changed from 7.3.4 to 7.3.5
Updated by Alexis Mousset 9 months ago
- Target version changed from 7.3.5 to 7.3.6
Updated by Vincent MEMBRÉ 8 months ago
- Target version changed from 7.3.6 to 7.3.7
Updated by Vincent MEMBRÉ 8 months ago
- Target version changed from 7.3.7 to 7.3.8
Updated by Vincent MEMBRÉ 6 months ago
- Target version changed from 7.3.8 to 7.3.9
Updated by Vincent MEMBRÉ 6 months ago
- Target version changed from 7.3.9 to 7.3.10
Updated by Vincent MEMBRÉ 5 months ago
- Target version changed from 7.3.10 to 7.3.11
Updated by Vincent MEMBRÉ 3 months ago
- Target version changed from 7.3.11 to 7.3.12
Updated by Vincent MEMBRÉ 2 months ago
- Target version changed from 7.3.12 to 7.3.13
Updated by Vincent MEMBRÉ about 2 months ago
- Target version changed from 7.3.13 to 7.3.14
Updated by Vincent MEMBRÉ 9 days ago
- Target version changed from 7.3.14 to 7.3.15