openssh_keypair - Add logic to handle password protected or broken key (#64436)

* The ssh key may be created manually prior the task execution with a
  passphrase. And the task will be executed on the same key.
* The ssh key may be broken and not usable.

The module will check the private key and if the key is password
protected or broken, it will be overridden.
The check of the ssh key performed by retrieve the public key from the
private key.

Set the "self.force" check before the "isPrivateKeyValid" check.
In case of any issue with the "isPrivateKeyValid" function, the user
will be able to force the regeneration of the key with the "force: yes"
argument.
This commit is contained in:
Maxim Babushkin 2019-12-02 09:12:38 +02:00 committed by Felix Fontein
parent a0b8b85fa5
commit da73bbd73c
4 changed files with 28 additions and 1 deletions

View file

@ -0,0 +1,2 @@
bugfixes:
- openssh_keypair - add logic to handle password protected or broken key

View file

@ -63,6 +63,8 @@ options:
- Provides a new comment to the public key. When checking if the key is in the correct state this will be ignored.
type: str
version_added: "2.9"
notes:
- In case the ssh key is broken or password protected, it will be regenerated.
extends_documentation_fragment: files
'''
@ -171,7 +173,7 @@ class Keypair(object):
def generate(self, module):
# generate a keypair
if not self.isPrivateKeyValid(module, perms_required=False) or self.force:
if self.force or not self.isPrivateKeyValid(module, perms_required=False):
args = [
module.get_bin_path('ssh-keygen', True),
'-q',
@ -240,7 +242,17 @@ class Keypair(object):
def _check_state():
return os.path.exists(self.path)
def _check_pass_protected_or_broken_key():
key_state = module.run_command([module.get_bin_path('ssh-keygen', True),
'-P', '', '-yf', self.path], check_rc=False)
if 'incorrect passphrase' in key_state[2] or 'load failed' in key_state[2]:
return True
return False
if _check_state():
if _check_pass_protected_or_broken_key():
return False
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
if not proc[0] == 0:
if os.path.isdir(self.path):

View file

@ -84,4 +84,12 @@
comment: 'test_modified@privatekey7'
register: privatekey7_modified_result
- name: Generate password protected key
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N password'
- name: Try to modify the password protected key - should be overridden
openssh_keypair:
path: '{{ output_dir }}/privatekey8'
register: privatekey8_result
- import_tasks: ../tests/validate.yml

View file

@ -112,3 +112,8 @@
assert:
that:
- privatekey7_modified_result.comment == 'test_modified@privatekey7'
- name: Check that password protected key has been regenerated
assert:
that:
- privatekey8_result is changed