Do fail instead of regenerate for password protected and invalid keys. (#65638)
This commit is contained in:
parent
d6fb9da8ed
commit
8f10db8552
4 changed files with 43 additions and 9 deletions
|
@ -1,2 +1,4 @@
|
||||||
bugfixes:
|
bugfixes:
|
||||||
- openssh_keypair - add logic to handle password protected or broken key
|
- openssh_keypair - add logic to avoid breaking password protected keys.
|
||||||
|
minor_changes:
|
||||||
|
- openssh_keypair - instead of regenerating some broken or password protected keys, fail the module. Keys can still be regenerated by calling the module with ``force=yes``.
|
||||||
|
|
|
@ -64,7 +64,7 @@ options:
|
||||||
type: str
|
type: str
|
||||||
version_added: "2.9"
|
version_added: "2.9"
|
||||||
notes:
|
notes:
|
||||||
- In case the ssh key is broken or password protected, it will be regenerated.
|
- In case the ssh key is broken or password protected, the module will fail. Set the I(force) option to C(yes) if you want to regenerate the keypair.
|
||||||
|
|
||||||
extends_documentation_fragment: files
|
extends_documentation_fragment: files
|
||||||
'''
|
'''
|
||||||
|
@ -245,13 +245,16 @@ class Keypair(object):
|
||||||
def _check_pass_protected_or_broken_key():
|
def _check_pass_protected_or_broken_key():
|
||||||
key_state = module.run_command([module.get_bin_path('ssh-keygen', True),
|
key_state = module.run_command([module.get_bin_path('ssh-keygen', True),
|
||||||
'-P', '', '-yf', self.path], check_rc=False)
|
'-P', '', '-yf', self.path], check_rc=False)
|
||||||
|
if key_state[0] == 255 or 'is not a public key file' in key_state[2]:
|
||||||
|
return True
|
||||||
if 'incorrect passphrase' in key_state[2] or 'load failed' in key_state[2]:
|
if 'incorrect passphrase' in key_state[2] or 'load failed' in key_state[2]:
|
||||||
return True
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
if _check_state():
|
if _check_state():
|
||||||
if _check_pass_protected_or_broken_key():
|
if _check_pass_protected_or_broken_key():
|
||||||
return False
|
module.fail_json(msg='Unable to read the key. The key is protected with a passphrase or broken.'
|
||||||
|
' Will not proceed. To force regeneration, call the module with `force=yes`.')
|
||||||
|
|
||||||
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
|
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
|
||||||
if not proc[0] == 0:
|
if not proc[0] == 0:
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
- name: Generate privatekey1 - standard
|
- name: Generate privatekey1 - standard
|
||||||
openssh_keypair:
|
openssh_keypair:
|
||||||
path: '{{ output_dir }}/privatekey1'
|
path: '{{ output_dir }}/privatekey1'
|
||||||
|
@ -53,11 +54,19 @@
|
||||||
- '{{ output_dir }}/privatekeybroken'
|
- '{{ output_dir }}/privatekeybroken'
|
||||||
- '{{ output_dir }}/privatekeybroken.pub'
|
- '{{ output_dir }}/privatekeybroken.pub'
|
||||||
|
|
||||||
- name: Regenerate broken key
|
- name: Regenerate broken key - should fail
|
||||||
openssh_keypair:
|
openssh_keypair:
|
||||||
path: '{{ output_dir }}/privatekeybroken'
|
path: '{{ output_dir }}/privatekeybroken'
|
||||||
type: rsa
|
type: rsa
|
||||||
register: output_broken
|
register: output_broken
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Regenerate broken key with force
|
||||||
|
openssh_keypair:
|
||||||
|
path: '{{ output_dir }}/privatekeybroken'
|
||||||
|
type: rsa
|
||||||
|
force: yes
|
||||||
|
register: output_broken_force
|
||||||
|
|
||||||
- name: Generate read-only private key
|
- name: Generate read-only private key
|
||||||
openssh_keypair:
|
openssh_keypair:
|
||||||
|
@ -87,9 +96,16 @@
|
||||||
- name: Generate password protected key
|
- name: Generate password protected key
|
||||||
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N password'
|
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N password'
|
||||||
|
|
||||||
- name: Try to modify the password protected key - should be overridden
|
- name: Try to modify the password protected key - should fail
|
||||||
openssh_keypair:
|
openssh_keypair:
|
||||||
path: '{{ output_dir }}/privatekey8'
|
path: '{{ output_dir }}/privatekey8'
|
||||||
register: privatekey8_result
|
register: privatekey8_result
|
||||||
|
ignore_errors: yes
|
||||||
|
|
||||||
|
- name: Try to modify the password protected key with force=yes
|
||||||
|
openssh_keypair:
|
||||||
|
path: '{{ output_dir }}/privatekey8'
|
||||||
|
force: yes
|
||||||
|
register: privatekey8_result_force
|
||||||
|
|
||||||
- import_tasks: ../tests/validate.yml
|
- import_tasks: ../tests/validate.yml
|
||||||
|
|
|
@ -86,10 +86,17 @@
|
||||||
- output_regenerated_via_force is changed
|
- output_regenerated_via_force is changed
|
||||||
|
|
||||||
|
|
||||||
- name: Verify that broken key will be regenerated
|
- name: Verify that broken key will cause failure
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- output_broken is changed
|
- output_broken is failed
|
||||||
|
- "'Unable to read the key. The key is protected with a passphrase or broken.' in output_broken.msg"
|
||||||
|
|
||||||
|
|
||||||
|
- name: Verify that broken key will be regenerated if force=yes is specified
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- output_broken_force is changed
|
||||||
|
|
||||||
|
|
||||||
- name: Verify that read-only key will be regenerated
|
- name: Verify that read-only key will be regenerated
|
||||||
|
@ -113,7 +120,13 @@
|
||||||
that:
|
that:
|
||||||
- privatekey7_modified_result.comment == 'test_modified@privatekey7'
|
- privatekey7_modified_result.comment == 'test_modified@privatekey7'
|
||||||
|
|
||||||
- name: Check that password protected key has been regenerated
|
- name: Check that password protected key made module fail
|
||||||
assert:
|
assert:
|
||||||
that:
|
that:
|
||||||
- privatekey8_result is changed
|
- privatekey8_result is failed
|
||||||
|
- "'Unable to read the key. The key is protected with a passphrase or broken.' in privatekey8_result.msg"
|
||||||
|
|
||||||
|
- name: Check that password protected key was regenerated with force=yes
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- privatekey8_result_force is changed
|
||||||
|
|
Loading…
Reference in a new issue