Bug #2944
closed
sshKeyDistribution technique does not work with network users
Description
The sshKeyDistribution technique makes two assumptions that prevent it from working with network users (e.g. from LDAP, NIS, AD, etc.):
- assumes user info is in /etc/passwd
- assumes user's primary group is named after the username
The attached patch changes it to obtain user information from `getent passwd` and to use primary group GID when assigning ownership.
The patch is in format for `git am`, but if you prefer a plain diff let me know.
Files
Updated by Nicolas PERRON over 11 years ago
- Assignee set to Nicolas PERRON
- Target version changed from 2.4.0~rc1 to 2.3.9
Great ! We will see to test and add it as soon as possible to Rudder !
You're right, the method used for this Technique only use /etc/passwd, then network users aren't take into account.
Thanks again for the patch, Michael. Your help is greatly appreciated :)
Updated by Nicolas PERRON over 11 years ago
In the patch, you used parseintarray function but i'm not sure to understand. Why the regex contains "#" ?
Updated by Michael Gliwinski over 11 years ago
Nicolas PERRON wrote:
In the patch, you used parseintarray function but i'm not sure to understand. Why the regex contains "#" ?
Hi, sorry for the delay and thanks for review!
Ah, yes, this is the comment regex parameter to parsestringarray. The output of getent does not contain any comments, but it was not clear to me from function description in CFE reference if this can be left blank, so I copied the regex used in examples. Now that I think about it, this probably isn't right because the gecos field could in fact contain a #.
Any ideas if comment regex param for parsestringarray can be blank? If not I'll try to come up with a regex that will never match and run some tests.
Updated by Nicolas CHARLES over 11 years ago
From the reference manual, it can be left blank :
https://cfengine.com/manuals/cf3-Reference#Function-readstringarray
Another solution might be to anchor the regexp with a ^ (the regexp in parsestringarray is not anchored)
Updated by Michael Gliwinski over 11 years ago
Nicolas CHARLES wrote:
From the reference manual, it can be left blank :
https://cfengine.com/manuals/cf3-Reference#Function-readstringarrayAnother solution might be to anchor the regexp with a ^ (the regexp in parsestringarray is not anchored)
Indeed, should have checked documentation for readstringarray too :P
OK I will test this and re-submit the patch. Thanks!
Updated by Michael Gliwinski over 11 years ago
- File 0001-Fixed-sshKeyDistribution-technique-to-make-it-work-with-network-users.patch 0001-Fixed-sshKeyDistribution-technique-to-make-it-work-with-network-users.patch added
Michael Gliwinski wrote:
OK I will test this and re-submit the patch. Thanks!
Sorry for delay, tested passing empty string as comment regex to parsestringarray and it works OK, attaching updated patch.
BTW, I've noticed you changed target version to 2.3.9, the patch is against 2.4 branch, should I re-send one against 2.3 branch?
Updated by Nicolas CHARLES over 11 years ago
Michael Gliwinski wrote:
Michael Gliwinski wrote:
OK I will test this and re-submit the patch. Thanks!
Sorry for delay, tested passing empty string as comment regex to
parsestringarrayand it works OK, attaching updated patch.BTW, I've noticed you changed target version to 2.3.9, the patch is against 2.4 branch, should I re-send one against 2.3 branch?
Hi Michael,
Sorry for the dealy in the answer. Since the bug also exists in the 2.3 version, we have to correct this bug it in the 2.3 branch, hence the change of target version.
If you could do the patch for the 2.3, it would be awesome, but I understand that you probably have something else to do rather than patching older version of Rudder. So if you want to, yes, with pleasure, otherwise we can do it ourself (I think there mustn't be much difference between both versions)
Updated by Michael Gliwinski over 11 years ago
- Status changed from New to Pending technical review
- % Done changed from 0 to 100
Applied in changeset commit:3ec03f6dd5e6a48ceab883ab2fbe3bf20a5c197e.
Updated by Nicolas CHARLES over 11 years ago
- Status changed from Pending technical review to Released
Michael, I applied your patch on the 2.3 branch, and I must admit I'm highly impressed by the quality of the patch !