Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

authorized_key messes up options when using comma-separated from= list in key_options #5032

Closed
maetthu opened this issue Nov 23, 2013 · 3 comments
Closed

authorized_key messes up options when using comma-separated from= list in key_options #5032

maetthu opened this issue Nov 23, 2013 · 3 comments
Assignees
@jimi-c
Labels
bug This issue/PR relates to a bug.

Comments

@maetthu
Copy link
Contributor

maetthu commented Nov 23, 2013

When specifying multiple patterns in the "from=" options for a key (like for example from="1.2.3.4,5.6.7.8."), the option parsing breaks for both the new key_options param as well as specifying the options directly in the key. This also breaks existing playbooks which worked for version <1.4.

tasks:
- name: key with options
  authorized_key: user=root key='from="1.*,2.*" ssh-rsa WHATEVER1 user@host' 
- name: key with key_options
  authorized_key: user=root key_options='from="1.*,2.*"' key="ssh-rsa WHATEVER2 user@host"

results in following entries written to authorized_keys file

2.*,from="1.*" ssh-rsa WHATEVER1 user@host
2.*,from="1.*" ssh-rsa WHATEVER2 user@host

which should actually result in

from="1.*,2.*" ssh-rsa WHATEVER1 user@host
from="1.*,2.*" ssh-rsa WHATEVER2 user@host

$ ansible --version
ansible 1.4

Only difference in authorized_key module to devel branch is commit 32986c4, though this version just breaks differently, resulting authorized_keys file is

2.*",from="""1.*"" ssh-rsa WHATEVER1 user@host
2.*",from=""1.*" ssh-rsa WHATEVER2 user@host

Specifying multiple host-patterns in a comma-separated list in the "from" option is documented in the man-page of authorized_keys:

from="pattern-list"
        Specifies that in addition to public key authentication, either
        the canonical name of the remote host or its IP address must be
        present in the comma-separated list of patterns.  See PATTERNS in
        ssh_config(5) for more information on patterns.
@ghost ghost assigned jimi-c Nov 23, 2013
@mpdehaan
Copy link
Contributor

@jimi-c all yours

@jctanner
Copy link
Contributor

test patch:

diff --git a/library/system/authorized_key b/library/system/authorized_key
index db0425d..ac9df88 100644
--- a/library/system/authorized_key
+++ b/library/system/authorized_key
@@ -177,7 +177,14 @@ def parseoptions(options):
     '''
     options_dict = {}
     if options:
-        options_list = options.strip().split(",")
+        lex = shlex.shlex(options)
+        lex.quotes = ["'", '"']
+        lex.whitespace_split = True
+        opt_parts = list(lex)
+        open("/tmp/awx.log", "a").write("opt_parts: %s\n" % opt_parts)
+
+        #options_list = options.strip().split(",")
+        options_list = opt_parts
         for option in options_list:
             # happen when there is comma at the end
             if option == '':
@@ -187,7 +194,8 @@ def parseoptions(options):
             else:
                 arg = option
                 val = None
-            options_dict[arg] = val
+            options_dict[arg] = val.replace('"', '').replace("'", "")
+    open("/tmp/awx.log", "a").write("options_dict: %s\n" % options_dict)
     return options_dict

 def parsekey(raw_key):

@maetthu
Copy link
Contributor Author

maetthu commented Nov 27, 2013

Works better, but not completely fixed (still breaks my existing playbooks). Additional options are not parsed correctly:

  tasks:
  - name: key with options
    authorized_key: user=root key='from="1.*,2.*",no-X11-forwarding,no-agent-forwarding ssh-rsa WHATEVER1 user@host' state=present 
  - name: key with key_options
    authorized_key: user=root key_options='from="1.*,2.*",no-X11-forwarding,no-agent-forwarding' key="ssh-rsa WHATEVER2 user@host" state=present

includes additional options within double quotes:

from="1.*,2.*,no-X11-forwarding,no-agent-forwarding" ssh-rsa WHATEVER1 user@host
from="1.*,2.*,no-X11-forwarding,no-agent-forwarding" ssh-rsa WHATEVER2 user@host

If additional options are placed before from list, like

key_options='no-X11-forwarding,no-agent-forwarding,from="1.*,2.*"'

The resulting authorized_key entry is fine:

no-X11-forwarding,no-agent-forwarding,from="1.*,2.*" ssh-rsa WHATEVER2 user@host

@maetthu maetthu mentioned this issue Nov 30, 2013
Merged
jctanner added a commit that referenced this issue Dec 2, 2013
@jctanner
Merge pull request #5107 from maetthu/devel
872a1ee 
authorized_key module: rewrite options to dict parser, fixes #5032
jimi-c pushed a commit that referenced this issue Dec 6, 2016
@GGabriele @privateip
Fixing nxos_vpc_interface (#5032)
3b4bbb2
@ansibot ansibot added bug This issue/PR relates to a bug. and removed bug_report labels Mar 6, 2018
@ansible ansible locked and limited conversation to collaborators Apr 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jimi-c jimi-c

Labels
bug This issue/PR relates to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mpdehaan @jimi-c @maetthu @jctanner @ansibot