From 5b783e0bc60cc75115d4c90e5b4c1c623c4a4611 Mon Sep 17 00:00:00 2001 From: Marc Abramowitz Date: Wed, 2 Jul 2014 13:21:01 -0700 Subject: [PATCH] Error if private_key_file is group/world readable Currently, if you have this, ansible fails with a generic error and suggests running again with `-vvvv`. This isn't bad but pinpointing the specific problem immediately is even more user-friendly. ``` $ ls -l devops.pem -rw-r--r--+ 1 marca staff 1679 Jul 2 11:25 devops.pem $ ansible -m ping --private-key=devops.pem mt3-pyweb01 mt3-pyweb01 | FAILED => private_key_file (devops.pem) is group-readable or world-readable and thus insecure - you will probably get an SSH failure ``` --- lib/ansible/runner/connection.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/ansible/runner/connection.py b/lib/ansible/runner/connection.py index 36a0ae0a62e..429b3f190de 100644 --- a/lib/ansible/runner/connection.py +++ b/lib/ansible/runner/connection.py @@ -18,6 +18,9 @@ ################################################ +import os +import stat + from ansible import utils from ansible.errors import AnsibleError @@ -31,5 +34,12 @@ class Connector(object): conn = utils.plugins.connection_loader.get(transport, self.runner, host, port, user=user, password=password, private_key_file=private_key_file) if conn is None: raise AnsibleError("unsupported connection type: %s" % transport) + if private_key_file: + # If private key is readable by user other than owner, flag an error + st = os.stat(private_key_file) + if st.st_mode & (stat.S_IRGRP | stat.S_IROTH): + raise AnsibleError("private_key_file (%s) is group-readable or world-readable and thus insecure - " + "you will probably get an SSH failure" + % (private_key_file,)) self.active = conn.connect() return self.active