1

I am trying to create a .ssh folder and then add id_rsa and known_hosts file into the .ssh folder in a windows 2016 server. This folder needs to get into any user who runs puppet manually(or as a service). To make this work I have written a custom fact $::user_profile_directory that figures the home directory (%userprofile%). The method works completely fine for all users except when puppet runs as a service.

When puppet runs as a service it creates the .ssh folder inside "c:/windows/system32/config/systemprofile" folder, but does not create the files in the created .ssh folder folder(id_rsa file known_hosts file). This does not happen if run the puppet service as any other user.

Puppet also does not show any errors in the logs and instead says the content was changed to specific md5 sum hash. But the .ssh folder does not contain any of the files if I go and check manually using the explorer.

Also if I place the files manually into the c:/windows/system32/config/systemprofile/.ssh folder it corrects the permissions on the files. I don't understand, if it's able to correct the permissions on the files if present, then why is it not able to create files. Here is my simple puppet code:

$user_home = $::user_profile_directory

  file { "${user_home}/.ssh":
    ensure => 'directory',
    #owner  => $user_name,
    group  => 'Administrators',
    mode   => '0700'
  } ->

  file { "${user_home}/.ssh/id_rsa":
    ensure  => 'file',
    content => hiera('vester::vester_private_key'),
    #owner   => $user_name,
    group   => 'Administrators',
    mode    => '0600'
  } ->

  file { "${user_home}/.ssh/known_hosts":
    ensure             => 'file',
    source             => 'puppet:///modules/vester/known_hosts',
    source_permissions => 'ignore',
    #owner              => $user_name,
    #group              => 'Administrators',
    #mode               => '0660'
  }

when puppet runs as service: ${user_home} is c:/windows/system32/config/systemprofile

when puppet runs as other user (let's say vagrant): ${user_home} is c:/users/vagrant

Facter code that generates the $::user_home fact:

Facter.add('user_profile_directory') do
  confine :osfamily => :windows
  setcode do
    ENV['USERPROFILE']
  end
end

EDIT 1: Just figured, I am able to create folders but not able to create files in any of the folders/subfolders under "C:/windows/system32". How can I create files in a custom folder under system32 using puppet.?

EDIT 2: JUST figured, even though $::user_profile_directory is returning

c:/windows/system32/config/systemprofile

all my files are getting placed under

c:/windows/syswow64/config/systemprofile

Aditya Pednekar
  • 442
  • 2
  • 6
  • 19
  • It seems like the problem is your fact is taking the value from ENV['USERPROFILE']. I don't know much about Windows but can't you fix it just by using different code in your custom fact? – Alex Harvey Aug 16 '18 at 01:40
  • It's not fixed but I figured the root cause. I'll post it as a solution in some time – Aditya Pednekar Aug 16 '18 at 05:25
  • 1
    In short, it was the WOW64 secret redirection in windows and 32 bit puppet client on a 64 bit OS which was causing issue @AlexHarvey – Aditya Pednekar Aug 18 '18 at 11:52

1 Answers1

1

Puppet 32 bit client was installed on my 64 bit Windows 2016 Server. The files were actually getting created, but instead of

c:/windows/system32/config/systemprofile/.ssh

the files were created inside

c:/windows/syswow64/config/systemprofile/.ssh

folder by my puppet client.

The %windir%\System32 directory is reserved for 64-bit applications on 64-bit Windows. Most DLL file names were not changed when 64-bit versions of the DLLs were created, so 32-bit versions of the DLLs are stored in a different directory. WOW64 hides this difference by using a file system redirector.

In most cases, whenever a 32-bit application attempts to access %windir%\System32, %windir%\lastgood\system32, or `%windir%\regedit.exe, the access is redirected to an architecture-specific path.

How Redirection Works

It's weird since, even though files are created in c:/windows/syswow64/config/systemprofile/.ssh folder, the puppet logs in the event viewer were showing that files were being successfully created inside the c:/windows/system32/config/systemprofile/.ssh. This happened because puppet 32 bit clients are unaware of the secret redirection in windows.

The fix for me was to just remove the 32 bit puppet client and install back the 64 bit puppet client since one of my puppet-modules(puppetlabs/vsrepo) was trying to access the knownhost file from c:/windows/system32/config/systemprofile/.ssh folder as it was using 64 bit git.exe client in background.

More about the WOW64 secret redirection in Microsoft documentation here

Aditya Pednekar
  • 442
  • 2
  • 6
  • 19