Closed lhriley-tm closed 7 years ago
This seems to be a problem with any variable being expanded that might contain sensitive data.
I've set the resource that creates the key to sensitive so you won't see those in your logs or in visibility if you use automate. I'll get a release out soon with that change.
As implemented, the usersmanage LWRP prints all SSH keys to the log, both public and private. This would be tolerable if we could mark the LWRP itself as sensitive, but that does not appear to work in testing. Instead, it appears that we would need the source modified to add "sensitive true" to the template resource which generates the private (id*) key file.
https://github.com/chef-cookbooks/users/blob/v1.8.2/providers/manage.rb#L131-L141
Optionally, it would be nice to make this an attribute that we could pass into the LWRP so that we could expose the content in testing / kitchen and hide it in Production.