[stable-2.14] ansible-test - Support RSA SHA-1 for SSH clients.

(cherry picked from commit 75b60b17ee)

Co-authored-by: Matt Clay <matt@mystile.com>
pull/79600/head
Matt Clay 2 years ago
parent 66889d8a7f
commit 6ebb1324d4

@ -39,6 +39,11 @@ minor_changes:
adding the ``retry/never`` alias. This is useful for tests that cannot pass on a retry or are too adding the ``retry/never`` alias. This is useful for tests that cannot pass on a retry or are too
slow to make retries useful. slow to make retries useful.
- ansible-test - The ``ansible-test env`` command now detects and reports the container ID if running in a container. - ansible-test - The ``ansible-test env`` command now detects and reports the container ID if running in a container.
- ansible-test - SSH connections from OpenSSH 8.8+ to CentOS 6 containers now work without additional configuration.
However, clients older than OpenSSH 7.0 can no longer connect to CentOS 6 containers as a result.
The container must have ``centos6`` in the image name for this work-around to be applied.
- ansible-test - SSH shell connections from OpenSSH 8.8+ to ansible-test provisioned network instances now work without additional configuration.
However, clients older than OpenSSH 7.0 can no longer open shell sessions for ansible-test provisioned network instances as a result.
bugfixes: bugfixes:
- ansible-test - Multiple containers now work under Podman without specifying the ``--docker-network`` option. - ansible-test - Multiple containers now work under Podman without specifying the ``--docker-network`` option.
- ansible-test - Prevent concurrent / repeat pulls of the same container image. - ansible-test - Prevent concurrent / repeat pulls of the same container image.

@ -34,6 +34,7 @@ from .docker_util import (
from .ssh import ( from .ssh import (
SshConnectionDetail, SshConnectionDetail,
ssh_options_to_list,
) )
from .become import ( from .become import (
@ -123,7 +124,7 @@ class SshConnection(Connection):
self.options = ['-i', settings.identity_file] self.options = ['-i', settings.identity_file]
ssh_options = dict( ssh_options: dict[str, t.Union[int, str]] = dict(
BatchMode='yes', BatchMode='yes',
StrictHostKeyChecking='no', StrictHostKeyChecking='no',
UserKnownHostsFile='/dev/null', UserKnownHostsFile='/dev/null',
@ -131,8 +132,9 @@ class SshConnection(Connection):
ServerAliveCountMax=4, ServerAliveCountMax=4,
) )
for ssh_option in sorted(ssh_options): ssh_options.update(settings.options)
self.options.extend(['-o', f'{ssh_option}={ssh_options[ssh_option]}'])
self.options.extend(ssh_options_to_list(ssh_options))
def run(self, def run(self,
command: list[str], command: list[str],

@ -998,6 +998,10 @@ class DockerProfile(ControllerHostProfile[DockerConfig], SshTargetHostProfile[Do
port=port, port=port,
identity_file=SshKey(self.args).key, identity_file=SshKey(self.args).key,
python_interpreter=self.python.path, python_interpreter=self.python.path,
# CentOS 6 uses OpenSSH 5.3, making it incompatible with the default configuration of OpenSSH 8.8 and later clients.
# Since only CentOS 6 is affected, and it is only supported by ansible-core 2.12, support for RSA SHA-1 is simply hard-coded here.
# A substring is used to allow custom containers to work, not just the one provided with ansible-test.
enable_rsa_sha1='centos6' in self.config.image,
) )
return [SshConnection(self.args, settings)] return [SshConnection(self.args, settings)]
@ -1089,6 +1093,12 @@ class NetworkRemoteProfile(RemoteProfile[NetworkRemoteConfig]):
ansible_port=connection.port, ansible_port=connection.port,
ansible_user=connection.username, ansible_user=connection.username,
ansible_ssh_private_key_file=core_ci.ssh_key.key, ansible_ssh_private_key_file=core_ci.ssh_key.key,
# VyOS 1.1.8 uses OpenSSH 5.5, making it incompatible with RSA SHA-256/512 used by Paramiko 2.9 and later.
# IOS CSR 1000V uses an ancient SSH server, making it incompatible with RSA SHA-256/512 used by Paramiko 2.9 and later.
# That means all network platforms currently offered by ansible-core-ci require support for RSA SHA-1, so it is simply hard-coded here.
# NOTE: This option only exists in ansible-core 2.14 and later. For older ansible-core versions, use of Paramiko 2.8.x or earlier is required.
# See: https://github.com/ansible/ansible/pull/78789
# See: https://github.com/ansible/ansible/pull/78842
ansible_paramiko_use_rsa_sha2_algorithms='no', ansible_paramiko_use_rsa_sha2_algorithms='no',
ansible_network_os=f'{self.config.collection}.{self.config.platform}' if self.config.collection else self.config.platform, ansible_network_os=f'{self.config.collection}.{self.config.platform}' if self.config.collection else self.config.platform,
) )
@ -1132,6 +1142,10 @@ class NetworkRemoteProfile(RemoteProfile[NetworkRemoteConfig]):
port=core_ci.connection.port, port=core_ci.connection.port,
user=core_ci.connection.username, user=core_ci.connection.username,
identity_file=core_ci.ssh_key.key, identity_file=core_ci.ssh_key.key,
# VyOS 1.1.8 uses OpenSSH 5.5, making it incompatible with the default configuration of OpenSSH 8.8 and later clients.
# IOS CSR 1000V uses an ancient SSH server, making it incompatible with the default configuration of OpenSSH 8.8 and later clients.
# That means all network platforms currently offered by ansible-core-ci require support for RSA SHA-1, so it is simply hard-coded here.
enable_rsa_sha1=True,
) )
return [SshConnection(self.args, settings)] return [SshConnection(self.args, settings)]

@ -25,6 +25,10 @@ from .host_profiles import (
WindowsRemoteProfile, WindowsRemoteProfile,
) )
from .ssh import (
ssh_options_to_str,
)
def create_controller_inventory(args: EnvironmentConfig, path: str, controller_host: ControllerHostProfile) -> None: def create_controller_inventory(args: EnvironmentConfig, path: str, controller_host: ControllerHostProfile) -> None:
"""Create and return inventory for use in controller-only integration tests.""" """Create and return inventory for use in controller-only integration tests."""
@ -149,6 +153,7 @@ def create_posix_inventory(args: EnvironmentConfig, path: str, target_hosts: lis
ansible_port=ssh.settings.port, ansible_port=ssh.settings.port,
ansible_user=ssh.settings.user, ansible_user=ssh.settings.user,
ansible_ssh_private_key_file=ssh.settings.identity_file, ansible_ssh_private_key_file=ssh.settings.identity_file,
ansible_ssh_extra_args=ssh_options_to_str(ssh.settings.options),
) )
if ssh.become: if ssh.become:

@ -2,6 +2,7 @@
from __future__ import annotations from __future__ import annotations
import dataclasses import dataclasses
import itertools
import json import json
import os import os
import random import random
@ -38,10 +39,40 @@ class SshConnectionDetail:
identity_file: str identity_file: str
python_interpreter: t.Optional[str] = None python_interpreter: t.Optional[str] = None
shell_type: t.Optional[str] = None shell_type: t.Optional[str] = None
enable_rsa_sha1: bool = False
def __post_init__(self): def __post_init__(self):
self.name = sanitize_host_name(self.name) self.name = sanitize_host_name(self.name)
@property
def options(self) -> dict[str, str]:
"""OpenSSH config options, which can be passed to the `ssh` CLI with the `-o` argument."""
options: dict[str, str] = {}
if self.enable_rsa_sha1:
# Newer OpenSSH clients connecting to older SSH servers must explicitly enable ssh-rsa support.
# OpenSSH 8.8, released on 2021-09-26, deprecated using RSA with the SHA-1 hash algorithm (ssh-rsa).
# OpenSSH 7.2, released on 2016-02-29, added support for using RSA with SHA-256/512 hash algorithms.
# See: https://www.openssh.com/txt/release-8.8
algorithms = '+ssh-rsa' # append the algorithm to the default list, requires OpenSSH 7.0 or later
options.update(dict(
# Host key signature algorithms that the client wants to use.
# Available options can be found with `ssh -Q HostKeyAlgorithms` or `ssh -Q key` on older clients.
# This option was updated in OpenSSH 7.0, released on 2015-08-11, to support the "+" prefix.
# See: https://www.openssh.com/txt/release-7.0
HostKeyAlgorithms=algorithms,
# Signature algorithms that will be used for public key authentication.
# Available options can be found with `ssh -Q PubkeyAcceptedAlgorithms` or `ssh -Q key` on older clients.
# This option was added in OpenSSH 7.0, released on 2015-08-11.
# See: https://www.openssh.com/txt/release-7.0
# This option is an alias for PubkeyAcceptedAlgorithms, which was added in OpenSSH 8.5.
# See: https://www.openssh.com/txt/release-8.5
PubkeyAcceptedKeyTypes=algorithms,
))
return options
class SshProcess: class SshProcess:
"""Wrapper around an SSH process.""" """Wrapper around an SSH process."""
@ -141,7 +172,7 @@ def create_ssh_command(
if ssh.user: if ssh.user:
cmd.extend(['-l', ssh.user]) # user to log in as on the remote machine cmd.extend(['-l', ssh.user]) # user to log in as on the remote machine
ssh_options = dict( ssh_options: dict[str, t.Union[int, str]] = dict(
BatchMode='yes', BatchMode='yes',
ExitOnForwardFailure='yes', ExitOnForwardFailure='yes',
LogLevel='ERROR', LogLevel='ERROR',
@ -153,9 +184,7 @@ def create_ssh_command(
ssh_options.update(options or {}) ssh_options.update(options or {})
for key, value in sorted(ssh_options.items()): cmd.extend(ssh_options_to_list(ssh_options))
cmd.extend(['-o', '='.join([key, str(value)])])
cmd.extend(cli_args or []) cmd.extend(cli_args or [])
cmd.append(ssh.host) cmd.append(ssh.host)
@ -165,6 +194,18 @@ def create_ssh_command(
return cmd return cmd
def ssh_options_to_list(options: t.Union[dict[str, t.Union[int, str]], dict[str, str]]) -> list[str]:
"""Format a dictionary of SSH options as a list suitable for passing to the `ssh` command."""
return list(itertools.chain.from_iterable(
('-o', f'{key}={value}') for key, value in sorted(options.items())
))
def ssh_options_to_str(options: t.Union[dict[str, t.Union[int, str]], dict[str, str]]) -> str:
"""Format a dictionary of SSH options as a string suitable for passing as `ansible_ssh_extra_args` in inventory."""
return shlex.join(ssh_options_to_list(options))
def run_ssh_command( def run_ssh_command(
args: EnvironmentConfig, args: EnvironmentConfig,
ssh: SshConnectionDetail, ssh: SshConnectionDetail,
@ -245,7 +286,7 @@ def generate_ssh_inventory(ssh_connections: list[SshConnectionDetail]) -> str:
ansible_pipelining='yes', ansible_pipelining='yes',
ansible_python_interpreter=ssh.python_interpreter, ansible_python_interpreter=ssh.python_interpreter,
ansible_shell_type=ssh.shell_type, ansible_shell_type=ssh.shell_type,
ansible_ssh_extra_args='-o UserKnownHostsFile=/dev/null', # avoid changing the test environment ansible_ssh_extra_args=ssh_options_to_str(dict(UserKnownHostsFile='/dev/null', **ssh.options)), # avoid changing the test environment
ansible_ssh_host_key_checking='no', ansible_ssh_host_key_checking='no',
))) for ssh in ssh_connections), ))) for ssh in ssh_connections),
), ),

Loading…
Cancel
Save