Unable to add Match to /etc/sshd_conf

[mburlic]

Unable to add to /etc/sshd_conf with module. Using augtool works without issues. Maybe I'm doing something wrong. Thank you for looking at this.

augtool> set /files/etc/ssh/sshd_config/Match/Condition/Address 192.168.0.3
augtool> set /files/etc/ssh/sshd_config/Match/Condition/User user
augtool> set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms +ssh-rsa
augtool> save
Saved 1 file(s)

augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address 192.168.0.3',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms +ssh-rsa',
   ],
   notify  => Service['ssh'],

debug run error

Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Condition/Address", "192.168.0.3"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Condition/User", "user"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): sending command 'set' with params ["/files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms", "+ssh-rsa"]
Debug: Augeas[sshd_allow_rsa](provider=augeas): Put failed on one or more files, output from /augeas//error:
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error = put_failed
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/path = /files/etc/ssh/sshd_config/files/etc/ssh/sshd_config/Match/Settings
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/lens = /opt/puppetlabs/puppet/share/augeas/lenses/dist/sshd.aug:151.12-.44:
Debug: Augeas[sshd_allow_rsa](provider=augeas): /augeas/files/etc/ssh/sshd_config/error/message = Failed to match tree under /files/etc/ssh/sshd_config/Match/Settings

     { "PubkeyAcceptedAlgorithms" = "+ssh-rsa" }`

[github-actions]

Migrated issue to PA-6286

[cthorn42]

@mburlic thanks for the issue, we're going to reproduce this on our end and get back to you.

[joshcooper]

@mburlic we're not able to successfully apply the augeas command when using the augtool that ships in puppet-agent 7.29.1 Is it possible you're running with system augtool and perhaps it is using a different set of lenses than we ship in puppet-agent?

[root@oral-assiduity ~]# /opt/puppetlabs/puppet/bin/augtool --version
augtool 1.14.1 <http://augeas.net/>
Copyright (C) 2007-2016 David Lutterkort
License LGPLv2+: GNU LGPL version 2.1 or later
                 <http://www.gnu.org/licenses/lgpl-2.1.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David Lutterkort
[root@oral-assiduity ~]# /opt/puppetlabs/puppet/bin/puppet --version
7.29.1
[root@oral-assiduity ~]# cat aug.txt 
set /files/etc/ssh/sshd_config/Match/Condition/Address 192.168.0.3
set /files/etc/ssh/sshd_config/Match/Condition/User user
set /files/etc/ssh/sshd_config/Match/Settings/PubkeyAcceptedAlgorithms +ssh-rsa
save
errors
[root@oral-assiduity ~]# /opt/puppetlabs/puppet/bin/augtool --file aug.txt
error: Failed to execute command
saving failed (run 'errors' for details)
Error in /etc/ssh/sshd_config at node /files/etc/ssh/sshd_config/files/etc/ssh/sshd_config/Match/Settings (put_failed)
  Failed to match tree under /files/etc/ssh/sshd_config/Match/Settings

     { "PubkeyAcceptedAlgorithms" = "+ssh-rsa" }

  with pattern
   ...

  Lens: /opt/puppetlabs/puppet/share/augeas/lenses/dist/sshd.aug:151.12-.44:

Note there was a recent change to PubkeyAcceptedAlgorithms in augeas 1.14.1 hercules-team/augeas#806 not sure if that's related to this?

[mburlic]

It could be as I was testing with augtool from debian repo

augtool --version
augtool 1.12.0 <http://augeas.net/>

With 1.14.1 it fails

[joshcooper]

Thanks @mburlic, could you file an upstream issue with hercules-team and reference this ticket?

[mburlic]

Thank you. Here is the issue
hercules-team/augeas#830

[mburlic]

Here is the detailed answer
hercules-team/augeas#830 (comment)

In short,
PubkeyAcceptedAlgorithms is now a list in sshd.aug lens

Thank you for your time.

[joshcooper]

Thanks @mburlic! It's a bit surprising augeas introduced a breaking change in a 1.14.1. For anyone else that runs into this, if you want to add ssh-rsa to PubkeyAcceptedAlgorithms, but only if it doesn't already exist, then you can do:

# cat manifest.pp
augeas { 'sshd_allow_rsa':
  incl    => '/etc/ssh/sshd_config',
  lens    => 'Sshd.lns',
  context => '/files/etc/ssh/sshd_config/Match/',
  changes => [
    'set Condition/Address 192.168.0.3',
    'set Condition/User user',
    'set Settings/PubkeyAcceptedAlgorithms/seq::*[.="ssh-rsa"] ssh-rsa',
   ]
}
# /opt/puppetlabs/puppet/bin/puppet apply manifest.pp 
Notice: Compiled catalog for XXX in environment production in 0.03 seconds
Notice: /Stage[main]/Main/Augeas[sshd_allow_rsa]/returns: executed successfully
Notice: Applied catalog in 0.20 seconds
# cat /etc/ssh/sshd_config
...
Match Address "192.168.0.3" User "user"
  PubkeyAcceptedAlgorithms ssh-rsa