Unexpected public key in new hosts authorized_keys file

Problem:

I’m doing some testing with deploying an authorized keys file to get familiar with remote execution.

I’ve learned you can deploy a public key using the remote_execution_ssh_keys host parameter.

And while yes my key has been populated in the new hosts’ authorized_keys file there is however another key in the file as well and I have no idea where it is coming from.

If I remove

 <%= snippet 'remote_execution_ssh_keys' %>

from all applicable templates then no authorized_keys file is created at all, so I know foreman is putting both keys there as a result of the snippet. I just have no idea where the key came from?

If I build multiple hosts the 2nd key is always the same so I know it’s not randomly generated.

Out of ideas I kicked off a find / -type -f -exec grep -H “keycontent” {} ; in hopes of finding the file but so far my search is coming up with nothing, though it is still running.

Where is this 2nd key coming from?

Expected outcome:

I did not expect to find a second key in the /root/.ssh/authorized_keys file when I’m only listing 1 in my remote_execution_ssh_keys host param

Foreman and Proxy versions:

foreman-3.0.0-1.el8.noarch
katello-4.2.0.rc1-1.el8.noarch

Foreman and Proxy plugin versions:

Distribution and version:

CentOS 8

Other relevant data:

Do you happen to have 2 Smart Proxies with the REX feature?

No, it’s just a single foreman server.

The extra key is the one that was originally created when i ran
foreman-installer --enable-foreman-proxy-plugin-remote-execution-ssh

After running this a key pair was created here:
/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy
/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy.pub

I overwrote this key pair thinking that was all i need to do.

Clearly the old key is being stored somewhere.

How do I remove the old key?
Is there a better way of rotating the keys?

Did you refresh features on the smart proxy after changing the key?

1 Like

@aruzicka Yeah that rotated the public key, contrary to what this pop-up told me.

nochanges

1 Like