diff --git a/lib/secretsscanner/authorizedkeys/authorized_keys.go b/lib/secretsscanner/authorizedkeys/authorized_keys.go index 3890cec4b5be2..546f89dc923d0 100644 --- a/lib/secretsscanner/authorizedkeys/authorized_keys.go +++ b/lib/secretsscanner/authorizedkeys/authorized_keys.go @@ -143,12 +143,12 @@ func (w *Watcher) start(ctx context.Context) error { wg := sync.WaitGroup{} defer wg.Wait() - watcher, err := fsnotify.NewWatcher() + fileWatcher, err := fsnotify.NewWatcher() if err != nil { return trace.Wrap(err) } defer func() { - if err := watcher.Close(); err != nil { + if err := fileWatcher.Close(); err != nil { w.logger.WarnContext(ctx, "Failed to close watcher", "error", err) } }() @@ -163,24 +163,24 @@ func (w *Watcher) start(ctx context.Context) error { select { case <-ctx.Done(): return - case <-watcher.Events: + case <-fileWatcher.Events: innerLoop: for { select { case <-ctx.Done(): return - case <-watcher.Events: + case <-fileWatcher.Events: case reload <- struct{}{}: break innerLoop } } - case err := <-watcher.Errors: + case err := <-fileWatcher.Errors: w.logger.Warn("Error watching authorized_keys file", "error", err) } } }() - if err := watcher.Add(w.usersAccountFile); err != nil { + if err := fileWatcher.Add(w.usersAccountFile); err != nil { w.logger.Warn("Failed to add watcher for file", "error", err) } @@ -206,7 +206,7 @@ func (w *Watcher) start(ctx context.Context) error { defer timer.Stop() for { - if err := w.fetchAndReportAuthorizedKeys(ctx, stream, watcher); err != nil { + if err := w.fetchAndReportAuthorizedKeys(ctx, stream, fileWatcher); err != nil { w.logger.Warn("Failed to report authorized keys", "error", err) } @@ -237,7 +237,7 @@ func (w *Watcher) isAuthorizedKeysReportEnabled(ctx context.Context) (bool, erro func (w *Watcher) fetchAndReportAuthorizedKeys( ctx context.Context, stream accessgraphsecretsv1pb.SecretsScannerService_ReportAuthorizedKeysClient, - watcher *fsnotify.Watcher, + fileWatcher *fsnotify.Watcher, ) error { users, err := userList(ctx, w.logger, w.usersAccountFile) if err != nil { @@ -250,24 +250,26 @@ func (w *Watcher) fetchAndReportAuthorizedKeys( continue } - authorizedKeysPath := filepath.Join(u.HomeDir, ".ssh", "authorized_keys") - if fs, err := os.Stat(authorizedKeysPath); err != nil || fs.IsDir() { - continue - } + for _, file := range []string{"authorized_keys", "authorized_keys2"} { + authorizedKeysPath := filepath.Join(u.HomeDir, ".ssh", file) + if fs, err := os.Stat(authorizedKeysPath); err != nil || fs.IsDir() { + continue + } - hostKeys, err := w.parseAuthorizedKeysFile(u, authorizedKeysPath) - if errors.Is(err, os.ErrNotExist) { - continue - } else if err != nil { - w.logger.Warn("Failed to parse authorized_keys file", "error", err) - continue - } + hostKeys, err := w.parseAuthorizedKeysFile(u, authorizedKeysPath) + if errors.Is(err, os.ErrNotExist) { + continue + } else if err != nil { + w.logger.Warn("Failed to parse authorized_keys file", "error", err) + continue + } - // Add the file to the watcher. If file was already added, this is a no-op. - if err := watcher.Add(authorizedKeysPath); err != nil { - w.logger.Warn("Failed to add watcher for file", "error", err) + // Add the file to the watcher. If file was already added, this is a no-op. + if err := fileWatcher.Add(authorizedKeysPath); err != nil { + w.logger.Warn("Failed to add watcher for file", "error", err) + } + keys = append(keys, hostKeys...) } - keys = append(keys, hostKeys...) } const maxKeysPerReport = 500