openssh_keypair - Add password protected key check

The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. The module will check the private key and if the key is password protected, the task will fail with the following message: "The key is protected with a passphrase. Unable to proceed."
ansible · Nov 5, 2019 · b713f36 · b713f36
1 parent 819ba22
commit b713f36
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 0 deletions.
diff --git a/changelogs/fragments/64436-openssh_keypair-add-password-protected-key-check.yml b/changelogs/fragments/64436-openssh_keypair-add-password-protected-key-check.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - openssh_keypair - add password protected key check
diff --git a/lib/ansible/modules/crypto/openssh_keypair.py b/lib/ansible/modules/crypto/openssh_keypair.py
@@ -240,7 +240,17 @@ def isPrivateKeyValid(self, module, perms_required=True):
         def _check_state():
             return os.path.exists(self.path)
 
+        def _check_pass_protected_key():
+            key_state = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path],
+                                           environ_update=dict(SSH_ASKPASS="/bin/false"), check_rc=False, data='y')
+            if 'incorrect passphrase' in key_state[2]:
+                return True
+            return False
+
         if _check_state():
+            if _check_pass_protected_key():
+                module.fail_json(msg='The key is protected with a passphrase. Unable to proceed.')
+
             proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
             if not proc[0] == 0:
                 if os.path.isdir(self.path):

diff --git a/test/integration/targets/openssh_keypair/tasks/main.yml b/test/integration/targets/openssh_keypair/tasks/main.yml
@@ -79,4 +79,14 @@
     comment: 'test_modified@privatekey7'
   register: privatekey7_modified_result
 
+- name: Generate password protected key
+  command: 'ssh-keygen -t ed25519 -f {{ output_dir }}/privatekey8 -N password'
+
+- name: Try to modify the password protected key - should fail with error message
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey8'
+    type: ed25519
+  register: privatekey8_result
+  ignore_errors: true
+
 - import_tasks: ../tests/validate.yml
diff --git a/test/integration/targets/openssh_keypair/tests/validate.yml b/test/integration/targets/openssh_keypair/tests/validate.yml
@@ -107,3 +107,9 @@
   assert:
     that:
       - privatekey7_modified_result.comment == 'test_modified@privatekey7'
+
+- name: Check that the task failed on password protected key and the message is printed
+  assert:
+    that:
+      - privatekey8_result is failed
+      - privatekey8_result.msg == 'The key is protected with a passphrase. Unable to proceed.'