authorized_keys are added, not replacing

Question

authorized_keys are added, not replacing

ebarault opened this issue 5 years ago · comments

Hi,
I noticed today that when changing a key in authorized_keys, the role adds the new key to the existing user but does not remove the older one.

step 1

users:
  - username: my_user
    home_create: yes
    groups:
      - docker
    append: yes
    authorized_keys:
      - public_key_A
    shell: /bin/bash

step 2

users:
  - username: my_user
    home_create: yes
    groups:
      - docker
    append: yes
    authorized_keys:
      - public_key_B
    shell: /bin/bash

# /users/my_user/.ssh/authorized_keys
public_key_A
public_key_B

I took for granted until now that replaced authorized keys were removed and it's potentially dangerous to think so.

Did you implement it like this on purpose?

Kevin Franklin Kim · Answer 1 · Thu Aug 22 2019 16:40:37 GMT+0800 (China Standard Time)

Hi, it's sort on purpose... you can switch on users_authorized_keys_exclusive or item.authorized_keys_exclusive as documented here.

To remove keys, the default way would be to specify your public_key_A key state as absent and run the role again, but this feature isn't implemented yet as this would need to be added.

PRs always welcome

Till! · Answer 2 · Sat Sep 28 2019 17:06:03 GMT+0800 (China Standard Time)

~~Managing accounts has the same "problem" I think. State cannot be supplied. I can make a PR.~~ Nevermind, I need more ☕️ . Saw users_remove.

Btw, love your role. 🎉 Thanks for publishing it!

Kevin Franklin Kim · Answer 3 · Thu Oct 17 2019 17:51:45 GMT+0800 (China Standard Time)

@till Pleasure! Thanks for the feedback 👍