From b713f3641bfb6f05bd30e37826673cbb2a58cb51 Mon Sep 17 00:00:00 2001 From: Maxim Babushkin Date: Tue, 5 Nov 2019 12:32:58 +0200 Subject: [PATCH] openssh_keypair - Add password protected key check The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. The module will check the private key and if the key is password protected, the task will fail with the following message: "The key is protected with a passphrase. Unable to proceed." --- ...penssh_keypair-add-password-protected-key-check.yml | 2 ++ lib/ansible/modules/crypto/openssh_keypair.py | 10 ++++++++++ .../integration/targets/openssh_keypair/tasks/main.yml | 10 ++++++++++ .../targets/openssh_keypair/tests/validate.yml | 6 ++++++ 4 files changed, 28 insertions(+) create mode 100644 changelogs/fragments/64436-openssh_keypair-add-password-protected-key-check.yml diff --git a/changelogs/fragments/64436-openssh_keypair-add-password-protected-key-check.yml b/changelogs/fragments/64436-openssh_keypair-add-password-protected-key-check.yml new file mode 100644 index 00000000000000..2b05d8d6b7181e --- /dev/null +++ b/changelogs/fragments/64436-openssh_keypair-add-password-protected-key-check.yml @@ -0,0 +1,2 @@ +bugfixes: + - openssh_keypair - add password protected key check \ No newline at end of file diff --git a/lib/ansible/modules/crypto/openssh_keypair.py b/lib/ansible/modules/crypto/openssh_keypair.py index 63117f91dc714c..083996a8cadb95 100644 --- a/lib/ansible/modules/crypto/openssh_keypair.py +++ b/lib/ansible/modules/crypto/openssh_keypair.py @@ -240,7 +240,17 @@ def isPrivateKeyValid(self, module, perms_required=True): def _check_state(): return os.path.exists(self.path) + def _check_pass_protected_key(): + key_state = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path], + environ_update=dict(SSH_ASKPASS="/bin/false"), check_rc=False, data='y') + if 'incorrect passphrase' in key_state[2]: + return True + return False + if _check_state(): + if _check_pass_protected_key(): + module.fail_json(msg='The key is protected with a passphrase. Unable to proceed.') + proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False) if not proc[0] == 0: if os.path.isdir(self.path): diff --git a/test/integration/targets/openssh_keypair/tasks/main.yml b/test/integration/targets/openssh_keypair/tasks/main.yml index 0ff369787d36b8..2a9c5f2e397fa3 100644 --- a/test/integration/targets/openssh_keypair/tasks/main.yml +++ b/test/integration/targets/openssh_keypair/tasks/main.yml @@ -79,4 +79,14 @@ comment: 'test_modified@privatekey7' register: privatekey7_modified_result +- name: Generate password protected key + command: 'ssh-keygen -t ed25519 -f {{ output_dir }}/privatekey8 -N password' + +- name: Try to modify the password protected key - should fail with error message + openssh_keypair: + path: '{{ output_dir }}/privatekey8' + type: ed25519 + register: privatekey8_result + ignore_errors: true + - import_tasks: ../tests/validate.yml diff --git a/test/integration/targets/openssh_keypair/tests/validate.yml b/test/integration/targets/openssh_keypair/tests/validate.yml index 4d61b050aa473f..72edfb429336cf 100644 --- a/test/integration/targets/openssh_keypair/tests/validate.yml +++ b/test/integration/targets/openssh_keypair/tests/validate.yml @@ -107,3 +107,9 @@ assert: that: - privatekey7_modified_result.comment == 'test_modified@privatekey7' + +- name: Check that the task failed on password protected key and the message is printed + assert: + that: + - privatekey8_result is failed + - privatekey8_result.msg == 'The key is protected with a passphrase. Unable to proceed.'