Hello
I need to clean up a bit the authorized keys files on our infra
i created a simple palybook that goes and removed one key from the remote authorized_keys files but when I run it in check/diff mode i see it tried to remove far too many lines
this is the playbook
`
Hard to tell what is going on without more information.
* What do the keys that are being removed look like?
* What does /path/to/totpubkey.pub look like?
* What do the authorized_keys file(s) look like?
Could it be that the same pubkey is listed in your authorized_keys
several times but with different comments?
Dick
Hello
no the key are differents but i think that ansible modules only match the beginning of the line but not the whole file
i am not going to list all the public keys here but:
the public key that has to be removed and the ones that are wrongly being removed have the ‘same’ beginning::
ssh-rsa AAAAB3NzaC1yc2EAAAA…
after this both lines in authorized keys differ
so does the authorized_key module only looks for the beginning of the line?
the /path/to/totpubkey.pub is a normal regular ssh-rsa public key file are standard public file with the publick key and authorized key files are one key per line… nothing fancy
The fact that multiple keys begin with AAAAB3NzaC1yc2EAAAA is because
they share the same header - this is OK.
The module takes the entire key string into account.
Can you maybe reproduce this in a way that we can look at it?
Otherwise it will be impossible to tell what is wrong (other that
guessing what it might be).
Dick
You could try and anonymize the usernames and comments and if that has the same problems, post that file. Then you’d be only posting public keys but no user names etc?
I am working on it to provide you an use case… but.
is by any chance the authorizing_file modules sanitizing aka removing duplicates entries on the remote authorized_key file even if it was not in the key string passed to be removed
in that case there is probably no issue i must do some tests 
i keep you posted.
regards
M
No, there is no such sanitizing thing.
There is the 'exclusive' option but that would remove everything else
but your key. And you're not using that.
https://docs.ansible.com/ansible/latest/modules/authorized_key_module.html#parameter-exclusive
Hi all,
>
> I am working on it to provide you an use case.. but.
>
> is by any chance the authorizing_file modules sanitizing aka
> removing duplicates entries on the remote authorized_key file even
> if it was not in the key string passed to be removedNo, there is no such sanitizing thing.
I just looked at the code
(https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py).
It does indeed remove duplicates. It puts all lines of authorized_keys
into a dictionary, indexed by the actual key:
https://github.com/ansible-collections/ansible.posix/blob/master/plugins/modules/authorized_key.py#L450-L461
The value in the dictionary contains more information so that the file
can be rebuilt - except that duplicate keys won't survive.
It's probably a good idea to mention that in the module docs. If
someone wants to create a PR for that (it's a good start to trying PRs
for collections!), feel free!
Cheers,
Felix
I ran some tests
created on vagrant some ssh files and created a authorized_keys with duplicates and tried to add/remove a line that is not a duplicate
the result is that if there is a line to be added/removed from the authorized_keys files the duplicates are also removed if there are no lines found to be removed then nothing happens
illustration:
authorized keys files notice the publicates in line 1,4,5 line 4 has a different comment line 5 has no comment
`
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHgAOaG6REJxdsfOQmyLhpQ8Q+j0qNyiUuqlYLk6/j5M vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMc8GxolEFe89BjWEnT3fHfqnL5eVMt8aw2ZJ54Iu6dX vagrant@localhost.localdomain
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4 ansible
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJwjZJR1W1yJJ7QvfD8ym/tIyl0pLAlNGxjci4lsXjY4
`
this is a playbook to add a new line… to remove is the same principle ;
`