Same ssh-rsa key put three times into authorized_keys (kickstart installations on libvirt)

cleka · June 5, 2020, 12:05pm

Problem:

Same ssh-rsa key put three times into authorized_keys.
From provisioniong template:

  cat << EOF >> ~root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCusDtwkjMR21e/+XiuNJt14TgYGMj7wmGCq5kE1JeSkLHNLehyt6CLNcADBBoGHJaYSQRlllmaxG0xzK+bCWCFFo1zunuHeGqrnKeML0MfPO3bwArErwM1VRAr8KxYUDp4yY5pwMW1tpg90fCMrRcv/i6atjwHtpYeptkutzmXKQMFUeCC87mV6uO5mQ8Xw9PXoFT301sKYtl7EOGl2+6QeHHbAAkilUfLYOZ8GpETdbyKg2b0wy0848uvIRISDCA3Ee60m6qXJjuD70H/FpUVqwN5G9yKxuZId57jxjFts/5FKUEAFm3Gfl6dEBkKSpjYzxKBALKj249WY7rCZ/CH foreman-proxy@katello.kt21c.net
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCusDtwkjMR21e/+XiuNJt14TgYGMj7wmGCq5kE1JeSkLHNLehyt6CLNcADBBoGHJaYSQRlllmaxG0xzK+bCWCFFo1zunuHeGqrnKeML0MfPO3bwArErwM1VRAr8KxYUDp4yY5pwMW1tpg90fCMrRcv/i6atjwHtpYeptkutzmXKQMFUeCC87mV6uO5mQ8Xw9PXoFT301sKYtl7EOGl2+6QeHHbAAkilUfLYOZ8GpETdbyKg2b0wy0848uvIRISDCA3Ee60m6qXJjuD70H/FpUVqwN5G9yKxuZId57jxjFts/5FKUEAFm3Gfl6dEBkKSpjYzxKBALKj249WY7rCZ/CH foreman-proxy@katello.kt21c.net
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCusDtwkjMR21e/+XiuNJt14TgYGMj7wmGCq5kE1JeSkLHNLehyt6CLNcADBBoGHJaYSQRlllmaxG0xzK+bCWCFFo1zunuHeGqrnKeML0MfPO3bwArErwM1VRAr8KxYUDp4yY5pwMW1tpg90fCMrRcv/i6atjwHtpYeptkutzmXKQMFUeCC87mV6uO5mQ8Xw9PXoFT301sKYtl7EOGl2+6QeHHbAAkilUfLYOZ8GpETdbyKg2b0wy0848uvIRISDCA3Ee60m6qXJjuD70H/FpUVqwN5G9yKxuZId57jxjFts/5FKUEAFm3Gfl6dEBkKSpjYzxKBALKj249WY7rCZ/CH foreman-proxy@katello.kt21c.net
EOF

Expected outcome:

Same key should be put only once.

Foreman and Proxy versions:

Foreman and foreman-proxy 2.0.0

Foreman and Proxy plugin versions:

don’t know what is meant with this :-/

Distribution and version:

[root@katello foreman]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
[root@katello foreman]#

Other relevant data:

I think had set up something related to ssh keys already before, and only installed the remote_execution features afterwards (yesterday, I think):

[root@katello foreman]# history | grep remote
517 foreman-installer --enable-foreman-plugin-remote-execution --enable-foreman-proxy-plugin-remote-execution-ssh
743 history | grep remote
[root@katello foreman]#

That key exists (as far as I could find) only exactly once in the filesystem:

[root@katello ssh]# pwd
/var/lib/foreman-proxy/ssh
[root@katello ssh]# ll
total 8
-rw-------. 1 foreman-proxy foreman-proxy 1679 Jun 3 23:52 id_rsa_foreman_proxy
-rw-r–r--. 1 foreman-proxy foreman-proxy 413 Jun 3 23:52 id_rsa_foreman_proxy.pub
[root@katello ssh]# cat id_rsa_foreman_proxy.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCusDtwkjMR21e/+XiuNJt14TgYGMj7wmGCq5kE1JeSkLHNLehyt6CLNcADBBoGHJaYSQRlllmaxG0xzK+bCWCFFo1zunuHeGqrnKeML0MfPO3bwArErwM1VRAr8KxYUDp4yY5pwMW1tpg90fCMrRcv/i6atjwHtpYeptkutzmXKQMFUeCC87mV6uO5mQ8Xw9PXoFT301sKYtl7EOGl2+6QeHHbAAkilUfLYOZ8GpETdbyKg2b0wy0848uvIRISDCA3Ee60m6qXJjuD70H/FpUVqwN5G9yKxuZId57jxjFts/5FKUEAFm3Gfl6dEBkKSpjYzxKBALKj249WY7rCZ/CH foreman-proxy@katello.kt21c.net
[root@katello ssh]#

I darkly remember I might have put that public key string as an array into some parameter field somewhere (host, hostgroup, …) but I don’t find it anywhere. Clicked through all pages.

Administer => Settings all tabs,
Configure => Host Group => all tabs
Configure => Global Parameters => all tabs

Perhaps I did that only for one specific host for testing, but why would it then apply it to all new hosts?

I checked this question: How to update remoteExecution SSH key properly? and where?

Didn’t find any ssh key under Infrastructure => Smart proxy either. Checked this file:

[root@katello ~]# grep key_file  /etc/foreman-proxy/settings.d/remote_execution_ssh.yml
:ssh_identity_key_file: /var/lib/foreman-proxy/ssh/id_rsa_foreman_proxy
[root@katello ~]#

which points to the place above.

cleka · June 5, 2020, 12:52pm

To be clear, this is not a big thing, and not meant as “Katello should handle this better”.

I found the place in the template where it just joins all elements of the parameter together; building in there some “check for duplicates” logic would clutter it and make it unreadable.

The question is more, from which places does it take the three instances, and/or/, i.e., where would I need to fix some setting/content/parameters to prevent this happening. I don’t know katello well enough to find it.

(Admittedly, the logic that merges values coming from global, host group, host specific, and what else, that could perhaps be improved to avoid duplicates [in contrast to the rendering in the template], but probably doing so could also have strange side effects… and making it “optional” or “only for ssh keys and some others but not all”, again, might be more clutter than it’s worth).

brotaxt · June 1, 2021, 1:11pm

Hey guys! Any news to this one ?

Recently we ran into exatly the same issue. I was not able to find any duplicates too.

foreman-1.24.1.32-1.el7sat.noarch

brotaxt · June 1, 2021, 1:15pm

Never mind I’ve got the answer! It’s resolved by Bug #30762: foreman-proxy ssh key is copied 3 times to the provisioned machine in /root/.ssh/authorized_keys - Foreman Remote Execution - Foreman