From 892044013378a06c680f1acad7ee7a9db55e13b1 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Tue, 21 Oct 2025 18:18:28 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=A7=AA=20Narrow=20SSH=20command=20in?= =?UTF-8?q?=20test=20helpers=20to=20one=20key?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously, `ssh` invocations would pick up `$SSH_AUTH_SOCK` and might hang if the agent (like Bitwarden) is awaiting for user input. This patch improves the sshd probe helper responsiveness by disallowing the use of SSH agent, passwords, setting no config and setting a one-second timeout. The command is now narrowly scoped to only use the identity file passed via commandline explicitly. --- tests/_service_utils.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/_service_utils.py b/tests/_service_utils.py index f18d0f1e3..63e54e984 100644 --- a/tests/_service_utils.py +++ b/tests/_service_utils.py @@ -44,11 +44,17 @@ def wait_for_svc_ready_state( """ cmd = [ '/usr/bin/ssh', - f'-l{getpass.getuser()!s}', - f'-i{clientkey_path!s}', - f'-p{port!s}', - '-oUserKnownHostsFile=/dev/null', + '-F/dev/null', # or -Fnone + '-oConnectTimeout=1', + '-oIdentitiesOnly=yes', + '-oIdentityAgent=/dev/null', + f'-oIdentityFile={clientkey_path!s}', + '-oPasswordAuthentication=no', + f'-oPort={port!s}', + '-oPreferredAuthentications=publickey', '-oStrictHostKeyChecking=no', + f'-oUser={getpass.getuser()!s}', + '-oUserKnownHostsFile=/dev/null', host, '--', 'exit 0', From 59756e41d93796d2d95a296d8151035874e986d7 Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Tue, 21 Oct 2025 18:25:14 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=93=9D=20Add=20a=20change=20note=20fo?= =?UTF-8?q?r=20PR=20#782?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docs/changelog-fragments/782.contrib.rst | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 docs/changelog-fragments/782.contrib.rst diff --git a/docs/changelog-fragments/782.contrib.rst b/docs/changelog-fragments/782.contrib.rst new file mode 100644 index 000000000..0b4a9702b --- /dev/null +++ b/docs/changelog-fragments/782.contrib.rst @@ -0,0 +1,4 @@ +The SSHD start probe client command is now shielded from external +environmnent and will no longer attempt using an SSH agent on the +machine where the tests are involved, nor will it use alternative +authentication methods -- by :user:`webknjaz`.