New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh_keypair handles encrypted key files poorly #63910
Comments
Files identified in the description: If these files are inaccurate, please update the |
Interestingly, for me both tasks are unchanged on the second run. My OpenSSH version: |
hrm, something funky is going on. If I run my example it indeed works as expected. I'm on the same OpenSSH version. However, if I target my existing |
...... Wait, I think the difference is that my key is password protected. I think it probably handles that poorly. |
Ahh, and |
I've updated my testcase above, I'll also change the title. |
Here's a pure-ansible reproducer: ---
- hosts: localhost
tasks:
- file:
path: /tmp/sshkey
state: absent
- file:
path: /tmp/sshkey.pub
state: absent
- command: ssh-keygen -t ed25519 -f /tmp/sshkey -N password
- stat:
path: "{{ item }}"
loop:
- /tmp/sshkey
- /tmp/sshkey.pub
register: out
- debug:
msg: "Key:{{ out.results[0].stat.size }}/{{ out.results[0].stat.mtime }} Pub:{{ out.results[1].stat.size }}/{{ out.results[1].stat.mtime }}"
- openssh_keypair:
path: "/tmp/sshkey"
type: ed25519
- stat:
path: "{{ item }}"
loop:
- /tmp/sshkey
- /tmp/sshkey.pub
register: out
- debug:
msg: "Key:{{ out.results[0].stat.size }}/{{ out.results[0].stat.mtime }} Pub:{{ out.results[1].stat.size }}/{{ out.results[1].stat.mtime }}"
- openssh_keypair:
path: "/tmp/sshkey"
type: ed25519
- stat:
path: "{{ item }}"
loop:
- /tmp/sshkey
- /tmp/sshkey.pub
register: out
- debug:
msg: "Key:{{ out.results[0].stat.size }}/{{ out.results[0].stat.mtime }} Pub:{{ out.results[1].stat.size }}/{{ out.results[1].stat.mtime }}" In the first I guess we need to add a "can we actually read the key itself" test and a "is they key maybe password protected" test. Anyone wants to (try to) implement that? |
Already checking return values for the calls above might already improve the situation a lot. |
The fix will check every private key for the password protected state. |
SUMMARY
openssh_keypair
handles encrypted key files poorly.ISSUE TYPE
COMPONENT NAME
openssh_keypair
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
Arch Linux
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
STEPS TO REPRODUCE
I'm using ed25519 because it's independent of
size
; not sure if it also happens with eg. RSA./tmp/sshkey
usingssh-keygen -t ed25519 -f /tmp/sshkey -N password
changed
./tmp/sshkey.pub
is now empty.changed
againEXPECTED RESULTS
.ssh
files already existing or properly replace it.The text was updated successfully, but these errors were encountered: