[Pkg-salt-team] Bug#934196: salt-ssh: ssh keys are loaded from /var/lib/salt instead of /etc/salt
Ross Vandegrift
rvandegrift at debian.org
Thu Aug 8 04:04:07 BST 2019
Package: salt-ssh
Version: 2018.3.4+dfsg1-6
Severity: normal
After upgrading to buster, salt-ssh was no longer able to connect to my
configured hosts. Instead, I'd get a 'do you want to deploy the
salt-ssh key?' prompt. I said yes and salt deployed a strange key.
Tracking down the key pointed me to /var/lib/salt:
$ sudo salt-ssh -l trace ravenhurst test.ping 2>&1 | grep IdentityFile
[TRACE ] Executing command: ssh ravenhurst.kallisti.us -o KbdInteractiveAuthentication=no -o PasswordAuthentication=no -o GSSAPIAuthentication=no -o ConnectTimeout=65 -o Port=22 -o IdentityFile=/var/lib/salt/pki/master/ssh/salt-ssh.rsa -o User=root /bin/sh << 'EOF'
But the pki_dir setting is the default:
$ sudo grep -r pki_dir: /etc/salt
/etc/salt/master:#pki_dir: /etc/salt/pki/master
As a workaround, I moved /var/lib/salt/pki/master out of the way and
symlinked it to /etc/salt/pki/master.
Ross
-- System Information:
Debian Release: 10.0
APT prefers stable
APT policy: (500, 'stable'), (40, 'unstable'), (30, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages salt-ssh depends on:
ii python3 3.7.3-1
ii salt-common 2018.3.4+dfsg1-6
salt-ssh recommends no packages.
salt-ssh suggests no packages.
-- Configuration Files:
/etc/salt/roster changed [not included]
-- no debconf information
More information about the pkg-salt-team
mailing list