Set IdentitiesOnly=yes when using key_file (#5682)

Sets the SSH option `IdentitiesOnly=yes` in the SSH wrapper when a `key_file` is provided to the git module. This option ensures that the provided key is used. Otherwise, the system's ssh-agent could provide undesired identities when connecting. From ssh_config(5): > Specifies that ssh(1) should only use the authentication identity and > certificate files explicitly configured in the ssh_config files or > passed on the ssh(1) command-line, even if ssh-agent(1) or a > PKCS11Provider offers more identities. The argument to this keyword > must be “yes” or “no”. This option is intended for situations where > ssh-agent offers many different identities. The default is “no”.
2016-11-28 14:55:01 -06:00 · 2016-11-28 14:55:01 -06:00 · cc334a078b
commit cc334a078b
parent 86d53db3e4
1 changed files with 1 additions and 1 deletions
--- a/lib/ansible/modules/source_control/git.py
+++ b/lib/ansible/modules/source_control/git.py
@ -320,7 +320,7 @@ fi
 if [ -z "$GIT_KEY" ]; then
    ssh $BASEOPTS "$@"
 else
-    ssh -i "$GIT_KEY" $BASEOPTS "$@"
+    ssh -i "$GIT_KEY" -o IdentitiesOnly=yes $BASEOPTS "$@"
 fi
 """
    fh.write(template)