Project

General

Profile

Bug #5561

"sshKeyDistribution" Technique keeps adding the same keys for ever

Added by Florian Heigl about 5 years ago. Updated over 4 years ago.

Status:
Released
Priority:
2
Category:
Techniques
Target version:
Severity:
User visibility:
Effort required:
Priority:

Description

(...the technique that keeps on giving)

I noticed that my user rule (contains adding user and adding a set of 3 ssh pubkeys) keeps getting "repaired" now.
It worked OK when I only had one key; after I extended it to add two more keys, it keeps adding the last one of them over and over again.

floh@rudderc2:~> sort -u .ssh/authorized_keys | wc -l
1
floh@rudderc2:~> wc -l .ssh/authorized_keys
129 .ssh/authorized_keys
floh@rudderc2:~> sort -u .ssh/authorized_keys | wc -l
1

Screenshot of directives attached.


Files


Related issues

Related to Rudder - Bug #5681: Technique "SSH keys distribution" 2.0 - adding large number of keys breaks the policy generationReleased2014-10-22Actions
Related to Rudder - Bug #5930: sshKeyDistribution creates 0 byte authorized_keys fileReleased2014-12-05Actions

Associated revisions

Revision 8eefcd96 (diff)
Added by Matthieu CERDA about 5 years ago

Fixes #5561: Correct SSH key distribution Technique (was non-convergent when adding keys)

Revision 12faa7e9
Added by Matthieu CERDA about 5 years ago

Merge pull request #535 from Kegeruneku/bug_5561/int/5561_correct_ssh_key_distribution

Fixes #5561: Correct SSH key distribution Technique (was non-convergent ...

History

#1

Updated by François ARMAND about 5 years ago

  • Assignee set to Nicolas CHARLES

Nicolas, any idean on that one ?

#2

Updated by Matthieu CERDA about 5 years ago

  • Status changed from New to Pending technical review
  • Assignee changed from Nicolas CHARLES to Jonathan CLARKE
  • Target version set to 2.11.4
  • % Done changed from 0 to 100
  • Pull Request set to https://github.com/Normation/rudder-techniques/pull/535

This bug impacts CFEngine 3.6 only, so correcting on 2.11 branch.

PR is ready ! https://github.com/Normation/rudder-techniques/pull/535

#3

Updated by Matthieu CERDA about 5 years ago

  • Status changed from Pending technical review to Pending release

Applied in changeset commit:8eefcd964a06addb4f263741c7105b5d66422986.

#4

Updated by Matthieu CERDA about 5 years ago

Applied in changeset commit:12faa7e9a71c3b8d4db804841d8dc2c0a36e8f9b.

#5

Updated by Fabrice FLORE-THÉBAULT almost 5 years ago

It affects also 2.10.6, see my comments in #5681

#6

Updated by Florian Heigl almost 5 years ago

Fix seems OK, using version 3.0 technique.

Server:
rudder-techniques-2.11.4.rc1.git201410170359-1.SLES.11

Agent version:
rudder-agent-2.11.3.release-1.SLES.11

#7

Updated by Florian Heigl almost 5 years ago

[Comment has been removed as the author requested it, due to confidential information.]

#8

Updated by Florian Heigl almost 5 years ago

Florian Heigl wrote:

I applied the same update (server and agents) on the second lab now, getting coredumps there!

Version seems to not matter, i had it on:
rudder-agent-2.11.2.release-1.SLES.11
and:
rudder-agent-2.11.4.rc1.git201410170359-1.SLES.11

Also tried to see if it goes away if I add another key - > no.

@
$ cat coredump
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/vars: Evaluating promise 'dim_array'
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/vars: Evaluating promise 'eline'
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/vars: Evaluating promise 'ckey'
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/vars: Evaluating promise 'ekey'
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/insert_lines: Evaluating promise '${keyspec}'
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/insert_lines: Skipping next promise '${keyspec}', as ifvarclass 'REMOVED.' is not relevant
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/replace_patterns: Evaluating promise '^(?!${eline}$)(.*${ekey}.*)$'
2014-10-30T00:05:26+0100 verbose: /default/check_ssh_key_distribution/files/'/home/MY_USER_ID/.ssh/authorized_keys'/default/append_or_replace_ssh_key/replace_patterns/'^(?!ssh\-dss\ KEY REMOVED (.: KEY REMOVED )$'[0]: Comment 'Replace a key here'

MORE KEY STUFF REMOVED HERE.

  • buffer overflow detected ***: cf-agent terminated ======= Backtrace: =========
    /lib64/libc.so.6(_fortify_fail+0x37)[0x7f64e69c6a07]
    /lib64/libc.so.6(+0xef6a0)[0x7f64e69c46a0]
    cf-agent[0x442e02]
    cf-agent[0x443316]
    cf-agent[0x4439ae]
    cf-agent[0x41f9ec]
    cf-agent[0x453b40]
    cf-agent[0x41dc84]
    cf-agent[0x40bc27]
    cf-agent[0x40cacf]
    cf-agent[0x431d23]
    cf-agent[0x40d274]
    cf-agent[0x408c53]
    cf-agent[0x453b40]
    cf-agent[0x408614]
    cf-agent[0x40a712]
    /lib64/libc.so.6(
    _libc_start_main+0xe6)[0x7f64e68f3c16]
    cf-agent[0x4081a9] ======= Memory map: ========
    00400000-004ec000 r-xp 00000000 ca:03 907658 /var/rudder/cfengine-community/bin/cf-agent
    006eb000-006ec000 r--p 000eb000 ca:03 907658 /var/rudder/cfengine-community/bin/cf-agent
    006ec000-006f6000 rw-p 000ec000 ca:03 907658 /var/rudder/cfengine-community/bin/cf-agent
    006f6000-0142f000 rw-p 00000000 00:00 0 [heap]
    7f64e5846000-7f64e585b000 r-xp 00000000 ca:03 2003141 /lib64/libgcc_s.so.1
    7f64e585b000-7f64e5a5a000 ---p 00015000 ca:03 2003141 /lib64/libgcc_s.so.1
    7f64e5a5a000-7f64e5a5b000 r--p 00014000 ca:03 2003141 /lib64/libgcc_s.so.1
    7f64e5a5b000-7f64e5a5c000 rw-p 00015000 ca:03 2003141 /lib64/libgcc_s.so.1
    7f64e5a5c000-7f64e5a63000 r-xp 00000000 ca:03 2003136 /lib64/libnss_compat-2.11.3.so
    7f64e5a63000-7f64e5c62000 ---p 00007000 ca:03 2003136 /lib64/libnss_compat-2.11.3.so
    7f64e5c62000-7f64e5c63000 r--p 00006000 ca:03 2003136 /lib64/libnss_compat-2.11.3.so
    7f64e5c63000-7f64e5c64000 rw-p 00007000 ca:03 2003136 /lib64/libnss_compat-2.11.3.so
    7f64e5c64000-7f64e5c77000 r-xp 00000000 ca:03 2003155 /lib64/libresolv-2.11.3.so
    7f64e5c77000-7f64e5e77000 ---p 00013000 ca:03 2003155 /lib64/libresolv-2.11.3.so
    7f64e5e77000-7f64e5e78000 r--p 00013000 ca:03 2003155 /lib64/libresolv-2.11.3.so
    7f64e5e78000-7f64e5e79000 rw-p 00014000 ca:03 2003155 /lib64/libresolv-2.11.3.so
    7f64e5e79000-7f64e5e7b000 rw-p 00000000 00:00 0
    7f64e5e7b000-7f64e5e80000 r-xp 00000000 ca:03 2003167 /lib64/libnss_dns-2.11.3.so
    7f64e5e80000-7f64e607f000 ---p 00005000 ca:03 2003167 /lib64/libnss_dns-2.11.3.so
    7f64e607f000-7f64e6080000 r--p 00004000 ca:03 2003167 /lib64/libnss_dns-2.11.3.so
    7f64e6080000-7f64e6081000 rw-p 00005000 ca:03 2003167 /lib64/libnss_dns-2.11.3.so
    7f64e6081000-7f64e6096000 r-xp 00000000 ca:03 2003127 /lib64/libz.so.1.2.3
    7f64e6096000-7f64e6295000 ---p 00015000 ca:03 2003127 /lib64/libz.so.1.2.3
    7f64e6295000-7f64e6296000 r--p 00014000 ca:03 2003127 /lib64/libz.so.1.2.3
    7f64e6296000-7f64e6297000 rw-p 00015000 ca:03 2003127 /lib64/libz.so.1.2.3
    7f64e6297000-7f64e62a3000 r-xp 00000000 ca:03 2003220 /lib64/libnss_files-2.11.3.so
    7f64e62a3000-7f64e64a2000 ---p 0000c000 ca:03 2003220 /lib64/libnss_files-2.11.3.so
    7f64e64a2000-7f64e64a3000 r--p 0000b000 ca:03 2003220 /lib64/libnss_files-2.11.3.so
    7f64e64a3000-7f64e64a4000 rw-p 0000c000 ca:03 2003220 /lib64/libnss_files-2.11.3.so
    7f64e64a4000-7f64e64b9000 r-xp 00000000 ca:03 2003147 /lib64/libnsl-2.11.3.so
    7f64e64b9000-7f64e66b8000 ---p 00015000 ca:03 2003147 /lib64/libnsl-2.11.3.so
    7f64e66b8000-7f64e66b9000 r--p 00014000 ca:03 2003147 /lib64/libnsl-2.11.3.so
    7f64e66b9000-7f64e66ba000 rw-p 00015000 ca:03 2003147 /lib64/libnsl-2.11.3.so
    7f64e66ba000-7f64e66bc000 rw-p 00000000 00:00 0
    7f64e66bc000-7f64e66d3000 r-xp 00000000 ca:03 2003251 /lib64/libaudit.so.0.0.0
    7f64e66d3000-7f64e68d3000 ---p 00017000 ca:03 2003251 /lib64/libaudit.so.0.0.0
    7f64e68d3000-7f64e68d4000 r--p 00017000 ca:03 2003251 /lib64/libaudit.so.0.0.0
    7f64e68d4000-7f64e68d5000 rw-p 00018000 ca:03 2003251 /lib64/libaudit.so.0.0.0
    7f64e68d5000-7f64e6a44000 r-xp 00000000 ca:03 2003135 /lib64/libc-2.11.3.so
    7f64e6a44000-7f64e6c43000 ---p 0016f000 ca:03 2003135 /lib64/libc-2.11.3.so
    7f64e6c43000-7f64e6c47000 r--p 0016e000 ca:03 2003135 /lib64/libc-2.11.3.so
    7f64e6c47000-7f64e6c48000 rw-p 00172000 ca:03 2003135 /lib64/libc-2.11.3.so
    7f64e6c48000-7f64e6c4d000 rw-p 00000000 00:00 0
    7f64e6c4d000-7f64e6c64000 r-xp 00000000 ca:03 2003142 /lib64/libpthread-2.11.3.so
    7f64e6c64000-7f64e6e64000 ---p 00017000 ca:03 2003142 /lib64/libpthread-2.11.3.so
    7f64e6e64000-7f64e6e65000 r--p 00017000 ca:03 2003142 /lib64/libpthread-2.11.3.so
    7f64e6e65000-7f64e6e66000 rw-p 00018000 ca:03 2003142 /lib64/libpthread-2.11.3.so
    7f64e6e66000-7f64e6e6a000 rw-p 00000000 00:00 0
    7f64e6e6a000-7f64e6e6c000 r-xp 00000000 ca:03 2003322 /lib64/libdl-2.11.3.so
    7f64e6e6c000-7f64e706c000 ---p 00002000 ca:03 2003322 /lib64/libdl-2.11.3.so
    7f64e706c000-7f64e706d000 r--p 00002000 ca:03 2003322 /lib64/libdl-2.11.3.so
    7f64e706d000-7f64e706e000 rw-p 00003000 ca:03 2003322 /lib64/libdl-2.11.3.so
    7f64e706e000-7f64e71e1000 r-xp 00000000 ca:03 1947235 /usr/lib64/libcrypto.so.0.9.8
    7f64e71e1000-7f64e73e0000 ---p 00173000 ca:03 1947235 /usr/lib64/libcrypto.so.0.9.8
    7f64e73e0000-7f64e73f0000 r--p 00172000 ca:03 1947235 /usr/lib64/libcrypto.so.0.9.8
    7f64e73f0000-7f64e7409000 rw-p 00182000 ca:03 1947235 /usr/lib64/libcrypto.so.0.9.8
    7f64e7409000-7f64e740d000 rw-p 00000000 00:00 0
    7f64e740d000-7f64e745c000 r-xp 00000000 ca:03 1947236 /usr/lib64/libssl.so.0.9.8
    7f64e745c000-7f64e765b000 ---p 0004f000 ca:03 1947236 /usr/lib64/libssl.so.0.9.8
    7f64e765b000-7f64e765d000 r--p 0004e000 ca:03 1947236 /usr/lib64/libssl.so.0.9.8
    7f64e765d000-7f64e7663000 rw-p 00050000 ca:03 1947236 /usr/lib64/libssl.so.0.9.8
    7f64e7663000-7f64e7692000 r-xp 00000000 ca:03 1946950 /usr/lib64/libpcre.so.0.0.1
    7f64e7692000-7f64e7891000 ---p 0002f000 ca:03 1946950 /usr/lib64/libpcre.so.0.0.1
    7f64e7891000-7f64e7892000 r--p 0002e000 ca:03 1946950 /usr/lib64/libpcre.so.0.0.1
    7f64e7892000-7f64e7893000 rw-p 0002f000 ca:03 1946950 /usr/lib64/libpcre.so.0.0.1
    7f64e7893000-7f64e78a4000 r-xp 00000000 ca:03 2469789 /opt/rudder/lib/liblmdb.so
    7f64e78a4000-7f64e7aa3000 ---p 00011000 ca:03 2469789 /opt/rudder/lib/liblmdb.so
    7f64e7aa3000-7f64e7aa4000 r--p 00010000 ca:03 2469789 /opt/rudder/lib/liblmdb.so
    7f64e7aa4000-7f64e7aa5000 rw-p 00011000 ca:03 2469789 /opt/rudder/lib/liblmdb.so
    7f64e7aa5000-7f64e7b00000 r-xp 00000000 ca:03 2003222 /lib64/libm-2.11.3.so
    7f64e7b00000-7f64e7cff000 ---p 0005b000 ca:03 2003222 /lib64/libm-2.11.3.so
    7f64e7cff000-7f64e7d00000 r--p 0005a000 ca:03 2003222 /lib64/libm-2.11.3.so
    7f64e7d00000-7f64e7d1e000 rw-p 0005b000 ca:03 2003222 /lib64/libm-2.11.3.so
    7f64e7d1e000-7f64e7d26000 r-xp 00000000 ca:03 2003129 /lib64/librt-2.11.3.so
    7f64e7d26000-7f64e7f25000 ---p 00008000 ca:03 2003129 /lib64/librt-2.11.3.so
    7f64e7f25000-7f64e7f26000 r--p 00007000 ca:03 2003129 /lib64/librt-2.11.3.so
    7f64e7f26000-7f64e7f27000 rw-p 00008000 ca:03 2003129 /lib64/librt-2.11.3.so
    7f64e7f27000-7f64e7f31000 r-xp 00000000 ca:03 2003335 /lib64/libnss_nis-2.11.3.so
    7f64e7f31000-7f64e8130000 ---p 0000a000 ca:03 2003335 /lib64/libnss_nis-2.11.3.so
    7f64e8130000-7f64e8131000 r--p 00009000 ca:03 2003335 /lib64/libnss_nis-2.11.3.so
    7f64e8131000-7f64e8132000 rw-p 0000a000 ca:03 2003335 /lib64/libnss_nis-2.11.3.so
    7f64e8132000-7f64e813f000 r-xp 00000000 ca:03 2003413 /lib64/libpam.so.0.83.1
    7f64e813f000-7f64e833e000 ---p 0000d000 ca:03 2003413 /lib64/libpam.so.0.83.1
    7f64e833e000-7f64e833f000 r--p 0000c000 ca:03 2003413 /lib64/libpam.so.0.83.1
    7f64e833f000-7f64e8340000 rw-p 0000d000 ca:03 2003413 /lib64/libpam.so.0.83.1
    7f64e8340000-7f64e835f000 r-xp 00000000 ca:03 2003509 /lib64/ld-2.11.3.so
    7f64e8549000-7f64e8552000 rw-p 00000000 00:00 0
    7f64e855c000-7f64e855e000 rw-p 00000000 00:00 0
    7f64e855e000-7f64e855f000 r--p 0001e000 ca:03 2003509 /lib64/ld-2.11.3.so
    7f64e855f000-7f64e8560000 rw-p 0001f000 ca:03 2003509 /lib64/ld-2.11.3.so
    7f64e8560000-7f64e8561000 rw-p 00000000 00:00 0
    7fffe6845000-7fffe68a3000 rw-p 00000000 00:00 0 [stack]
    7fffe69ce000-7fffe69cf000 r-xp 00000000 00:00 0 [vdso]
    ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
    Aborted (core dumped)
    @
#9

Updated by Florian Heigl almost 5 years ago

replacing the existing key with random text made it not dump core.
number of lines also didn't matter.

Content is now like this:

just a test.
just a test.
and another line of testing.
just a test.
and another line of testing.

(source content is

just a test.
and another line of testing.

maybe this only happening because I'm testing with random text now. Coredump is with proper key anyway. :/
No idea.

#10

Updated by Florian Heigl almost 5 years ago

This is apparently triggered by the length of the key.

wc -c .ssh/id_rsa.pub
737 .ssh/id_rsa.pub -> is OK

wc -c .ssh/id_dsa.pub
605 .ssh/id_dsa.pub -> is OK

wc -c .ssh/id_dsa.pub
1119 .ssh/id_dsa.pub -> coredump

seriously? :)

#11

Updated by Nicolas CHARLES almost 5 years ago

ok, i'm able to reproduce the issue; it's the class definition that fails.
The ticket for the Segfault issue is http://www.rudder-project.org/redmine/issues/5681

#12

Updated by Vincent MEMBRÉ almost 5 years ago

  • Subject changed from Remote Access SSH keeps adding same keys to "sshKeyDistribution" Technique keeps adding the same keys
#13

Updated by Vincent MEMBRÉ almost 5 years ago

  • Subject changed from "sshKeyDistribution" Technique keeps adding the same keys to "sshKeyDistribution" Technique keeps adding the same keys for ever
#14

Updated by Vincent MEMBRÉ almost 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.4, which was released today.

#15

Updated by Benoît PECCATTE over 4 years ago

  • Project changed from Techniques to Rudder
  • Category changed from Techniques to Techniques

Also available in: Atom PDF