This block uses getUserKeys to determine if there are any keys that have expired since the last iteration. However, the keys in sshKeys are not of the format that getUserKeys expects (no "user:" prefix), so they always hit this block, which means that getUserKeys returns an empty list, and diff always returns true.

Thanks for catching this, Nick. You're right, we're unnecessarily reconciling users' ssh keys every minute. Luckily, this is the good kind of failure mode, compared to not refreshing them :)

We are considering replacing this logic with an SSH authorized keys command, as we do with OS Login. We will either fix this bug or make that transition. Will leave this issue open for tracking or any discussion.

Hi, can we have this fixed? It's causing confusing log spam for me:

2022-07-17 19:20:28.202 PDT non_windows_accounts.go:199] Invalid ssh key entry - unrecognized format: ssh-rsa ...

Without context, this message suggests that the guest agent might not be updating SSH keys properly, which is alarming. It looks like this bug was introduced in #142? @gaohannk Any thoughts about this?

Thanks!

that message does suggest your agent is not updating keys properly. i don't believe it is related to this issue.

@hopkiw I think the message is directly caused by this bug. It’s a consequence of diff() calling getUserKeys with the wrong format of keys.

I suspect that you were misled by the error message in the same way that I was. In fact, the SSH keys are being properly updated despite the error message. It goes to show why it’s important to fix this log spam.

This bug is about a case where the agent unnecessarily writes keys again, believing them to have changed when they have not. It is not logspam but a real condition. Your issue is that you believe the agent is telling you a key is invalid, but you believe it to be valid. These are not related issues as far as I can tell.

If you can understand the code and point to a bug, feel free to file a new issue for it. Or else if you believe it is a bug but can't identify it in code yourself, contact your GCP support rep and file a support case with reproduction steps.

The same underlying bug causes both the unnecessary refresh as well as the log spam.

I work on GCE by the way :)