archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[2.9] openssh_keypair: make sure public key has same permissions as private key (#62037)

Browse Source 
* openssh_keypair: make sure public key has same permissions as private key (#61658)

* Make sure public key has same permissions as private key.

* Add changelog.

* Text, not binary.

(cherry picked from commit c19cea9b03)

* openssh_keypair file permissions/ownership: add porting guide entry (#62176)

* Add porting guide entry for 2.9.

(cherry picked from commit 0e72cbd451)
pull/62378/head
Felix Fontein 5 years ago committed by Toshio Kuratomi
parent 8df2541983
commit 5aa859d0d7
3 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/61658-openssh_keypair-public-key-permissions.yml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- "openssh_keypair - public key's file attributes (permissions, owner, group, etc.) are now set to the same values as the private key."

1
docs/docsite/rst/porting_guides/porting_guide_2.9.rst
Unescape Escape View File

@ -673,6 +673,7 @@ Noteworthy module changes
* The deprecated ``force`` option in ``win_firewall_rule`` has been removed. * The deprecated ``force`` option in ``win_firewall_rule`` has been removed.
* :ref:`openssl_certificate <openssl_certificate_module>`'s ``ownca`` provider creates authority key identifiers if not explicitly disabled with ``ownca_create_authority_key_identifier: no``. This is only the case for the ``cryptography`` backend, which is selected by default if the ``cryptography`` library is available. * :ref:`openssl_certificate <openssl_certificate_module>`'s ``ownca`` provider creates authority key identifiers if not explicitly disabled with ``ownca_create_authority_key_identifier: no``. This is only the case for the ``cryptography`` backend, which is selected by default if the ``cryptography`` library is available.
* :ref:`openssl_certificate <openssl_certificate_module>`'s ``ownca`` and ``selfsigned`` providers create subject key identifiers if not explicitly disabled with ``ownca_create_subject_key_identifier: never_create`` resp. ``selfsigned_create_subject_key_identifier: never_create``. If a subject key identifier is provided by the CSR, it is taken; if not, it is created from the public key. This is only the case for the ``cryptography`` backend, which is selected by default if the ``cryptography`` library is available. * :ref:`openssl_certificate <openssl_certificate_module>`'s ``ownca`` and ``selfsigned`` providers create subject key identifiers if not explicitly disabled with ``ownca_create_subject_key_identifier: never_create`` resp. ``selfsigned_create_subject_key_identifier: never_create``. If a subject key identifier is provided by the CSR, it is taken; if not, it is created from the public key. This is only the case for the ``cryptography`` backend, which is selected by default if the ``cryptography`` library is available.
* :ref:`openssh_keypair <openssh_keypair_module>` now applies the same file permissions and ownership to both public and private keys (both get the same ``mode``, ``owner``, ``group``, etc.). If you need to change permissions / ownership on one key, use the :ref:`file <file_module>` to modify it after it is created.
Plugins Plugins

15
lib/ansible/modules/crypto/openssh_keypair.py
Unescape Escape View File

@ -202,7 +202,7 @@ class Keypair(object):
self.remove() self.remove()
module.fail_json(msg="%s" % to_native(e)) module.fail_json(msg="%s" % to_native(e))
elif not self.isPublicKeyValid(module): elif not self.isPublicKeyValid(module, perms_required=False):
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path]) pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
pubkey = pubkey[1].strip('\n') pubkey = pubkey[1].strip('\n')
try: try:
@ -230,6 +230,9 @@ class Keypair(object):
file_args = module.load_file_common_arguments(module.params) file_args = module.load_file_common_arguments(module.params)
if module.set_fs_attributes_if_different(file_args, False): if module.set_fs_attributes_if_different(file_args, False):
self.changed = True self.changed = True
file_args['path'] = file_args['path'] + '.pub'
if module.set_fs_attributes_if_different(file_args, False):
self.changed = True
def isPrivateKeyValid(self, module, perms_required=True): def isPrivateKeyValid(self, module, perms_required=True):
@ -268,7 +271,7 @@ class Keypair(object):
return _check_state() and _check_perms(module) and _check_type() and _check_size() return _check_state() and _check_perms(module) and _check_type() and _check_size()
def isPublicKeyValid(self, module): def isPublicKeyValid(self, module, perms_required=True):
def _get_pubkey_content(): def _get_pubkey_content():
if os.path.exists(self.path + ".pub"): if os.path.exists(self.path + ".pub"):
@ -296,6 +299,11 @@ class Keypair(object):
return pubkey_parts[2] == self.comment return pubkey_parts[2] == self.comment
return False return False
def _check_perms(module):
file_args = module.load_file_common_arguments(module.params)
file_args['path'] = file_args['path'] + '.pub'
return not module.set_fs_attributes_if_different(file_args, False)
pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path]) pubkey = module.run_command([module.get_bin_path('ssh-keygen', True), '-yf', self.path])
pubkey = pubkey[1].strip('\n') pubkey = pubkey[1].strip('\n')
pubkey_parts = _parse_pubkey() pubkey_parts = _parse_pubkey()
@ -305,8 +313,11 @@ class Keypair(object):
if not self.comment: if not self.comment:
return _pubkey_valid(pubkey) return _pubkey_valid(pubkey)
if not perms_required:
return _pubkey_valid(pubkey) and _comment_valid() return _pubkey_valid(pubkey) and _comment_valid()
return _pubkey_valid(pubkey) and _comment_valid() and _check_perms(module)
def dump(self): def dump(self):
# return result as a dict # return result as a dict

Write Preview
Loading…
Cancel
Save