New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh_keypair - Add password protected key check #64436
openssh_keypair - Add password protected key check #64436
Conversation
b713f36
to
5b79339
Compare
6e8fab8
to
1c641f4
Compare
openssh_keypair: | ||
path: '{{ output_dir }}/privatekey8' | ||
register: privatekey8_result | ||
ignore_errors: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add another test that in case force: yes
is specified, the module won't fail.
@MaxBab did you have any chance to look at the failing CI tests so far? It looks like that for some versions of |
@felixfontein The problem between the versions is that in the older version, the command I'm trying to get the error message with, still ask for the password and ignores the "SSH_ASKPASS=/bin/false" I'm using (line 244). Right now, I can't think of any other way to check if the key is protected with the password. I'm looking for a way to skip the password ask as it works in the new version and catch the error message that will tell that the password is incorrect. I'm still looking for some way to do it, but currently, it keeps stuck on the password prompt. |
1c641f4
to
56ab774
Compare
56ab774
to
322ec29
Compare
49d716a
to
0250980
Compare
@felixfontein The module will check the private key and if the key is password In order to regenerate the broken key, "force" flag should be used. |
This is different than what all other crypto modules do: they regenerate automatically for broken keys (or if password doesn't match). I'm not sure whether it is a good idea to change the behavior in this way. How about simply re-generating the key in this case? Clearly the key isn't what the user expects (or should expect :D) from the module. Are there other opinions on this? |
Let me describe to you the flow of the password-protected key check and how it involved the same behavior on the broken key as well. The old format of the ssh keys has an "ENCRYPTED" value within the private key, specifying that the private key is encrypted with a password. As a result, the only way for me to check if the ssh key is password-protected is to try to retrieve the public key from the private key by the following command: "ssh-keygen -P '' -yf /tmp/sshkey". That's my way of checking the key. |
Ok, so we in general cannot distinguish between broken and passphrase protected. So how about always regenerating when one of these is the case? That solution will work in any case, and the module would behave the same as the other crypto modules. |
0250980
to
4fbdd67
Compare
@felixfontein |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Could you please re-add the logic switch here? https://github.com/ansible/ansible/compare/02509801d9c7ed724435317344e6ee6d396f38ec..4fbdd671c4bf47f3075e32dd92c25a4f616544fd#diff-438137003e3ebd7c7c25344bd149a95eL174 (i.e. check self.force
before calling self.isPrivateKeyValid()
) This will make the module more future-proof. (In case there ever is another problem with isPrivateKeyValid
, users can at least still force regeneration with force: yes
instead of having to resort to calling ssh-keygen
manually.)
* The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. * The ssh key may be broken and not usable. The module will check the private key and if the key is password protected or broken, it will be overridden. The check of the ssh key performed by retrieve the public key from the private key. Set the "self.force" check before the "isPrivateKeyValid" check. In case of any issue with the "isPrivateKeyValid" function, the user will be able to force the regeneration of the key with the "force: yes" argument.
4fbdd67
to
71662e2
Compare
Done. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@MaxBab thanks a lot for fixing this! I'll create backports so the fix will find its way into 2.8.x and 2.9.x as well. |
Cool. |
ansible#64436) * The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. * The ssh key may be broken and not usable. The module will check the private key and if the key is password protected or broken, it will be overridden. The check of the ssh key performed by retrieve the public key from the private key. Set the "self.force" check before the "isPrivateKeyValid" check. In case of any issue with the "isPrivateKeyValid" function, the user will be able to force the regeneration of the key with the "force: yes" argument. (cherry picked from commit da73bbd)
ansible#64436) * The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. * The ssh key may be broken and not usable. The module will check the private key and if the key is password protected or broken, it will be overridden. The check of the ssh key performed by retrieve the public key from the private key. Set the "self.force" check before the "isPrivateKeyValid" check. In case of any issue with the "isPrivateKeyValid" function, the user will be able to force the regeneration of the key with the "force: yes" argument. (cherry picked from commit da73bbd)
ansible#64436) * The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. * The ssh key may be broken and not usable. The module will check the private key and if the key is password protected or broken, it will be overridden. The check of the ssh key performed by retrieve the public key from the private key. Set the "self.force" check before the "isPrivateKeyValid" check. In case of any issue with the "isPrivateKeyValid" function, the user will be able to force the regeneration of the key with the "force: yes" argument.
ansible#64436) * The ssh key may be created manually prior the task execution with a passphrase. And the task will be executed on the same key. * The ssh key may be broken and not usable. The module will check the private key and if the key is password protected or broken, it will be overridden. The check of the ssh key performed by retrieve the public key from the private key. Set the "self.force" check before the "isPrivateKeyValid" check. In case of any issue with the "isPrivateKeyValid" function, the user will be able to force the regeneration of the key with the "force: yes" argument.
SUMMARY
The ssh key may be created manually prior the task execution with a
passphrase. And the task will be executed on the same key.
The module will check the private key and if the key is password
protected, the task will fail with the following message:
"The key is protected with a passphrase. Unable to proceed."
"Fixes #63910"
ISSUE TYPE
COMPONENT NAME
openssh_keypair