mirror of https://github.com/ansible/ansible.git
[stable-2.16] user action, fix ssh-keygen issues (#84169)
* user module avoid conflicts ssh pub key (#84165)
Remove pub key if we are going to generate private
fix tests for os X
(cherry picked from commit 11e4a6a722
)
* old python, no f''
* Restore test import missing from backport
---------
Co-authored-by: Matt Clay <matt@mystile.com>
pull/84195/head
parent
6bb6b9548f
commit
9d7312f695
@ -0,0 +1,4 @@
|
|||||||
|
bugfixes:
|
||||||
|
- user action will now require O(force) to overwrite the public part of an ssh key when generating ssh keys, as was already the case for the private part.
|
||||||
|
security_fixes:
|
||||||
|
- user action won't allow ssh-keygen, chown and chmod to run on existing ssh public key file, avoiding traversal on existing symlinks (CVE-2024-9902).
|
@ -0,0 +1,100 @@
|
|||||||
|
- name: user generating ssh keys tests
|
||||||
|
become: true
|
||||||
|
vars:
|
||||||
|
home: "{{ (ansible_facts['os_family'] == 'Darwin')|ternary('/Users/ansibulluser/', '/home/ansibulluser/')}}"
|
||||||
|
ssh_key_file: .ssh/ansible_test_rsa
|
||||||
|
pub_file: '{{ssh_key_file}}.pub'
|
||||||
|
key_files:
|
||||||
|
- '{{ssh_key_file}}'
|
||||||
|
- '{{pub_file}}'
|
||||||
|
block:
|
||||||
|
- name: Ensure clean/non existsing ansibulluser
|
||||||
|
user: name=ansibulluser state=absent
|
||||||
|
|
||||||
|
- name: Test creating ssh key creation
|
||||||
|
block:
|
||||||
|
- name: Create user with ssh key
|
||||||
|
user:
|
||||||
|
name: ansibulluser
|
||||||
|
state: present
|
||||||
|
generate_ssh_key: yes
|
||||||
|
ssh_key_file: '{{ ssh_key_file}}'
|
||||||
|
|
||||||
|
- name: check files exist
|
||||||
|
stat:
|
||||||
|
path: '{{home ~ item}}'
|
||||||
|
register: stat_keys
|
||||||
|
loop: '{{ key_files }}'
|
||||||
|
|
||||||
|
- name: ensure they exist
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- stat_keys.results[item].stat.exists
|
||||||
|
loop: [0, 1]
|
||||||
|
|
||||||
|
always:
|
||||||
|
- name: Clean ssh keys
|
||||||
|
file: path={{ home ~ item }} state=absent
|
||||||
|
loop: '{{ key_files }}'
|
||||||
|
|
||||||
|
- name: Ensure clean/non existsing ansibulluser
|
||||||
|
user: name=ansibulluser state=absent
|
||||||
|
|
||||||
|
- name: Ensure we don't break on conflicts
|
||||||
|
block:
|
||||||
|
- name: flag file for test
|
||||||
|
tempfile:
|
||||||
|
register: flagfile
|
||||||
|
|
||||||
|
- name: precreate public .ssh
|
||||||
|
file: path={{home ~ '.ssh'}} state=directory
|
||||||
|
|
||||||
|
- name: setup public key linked to flag file
|
||||||
|
file: path={{home ~ pub_file}} src={{flagfile.path}} state=link
|
||||||
|
|
||||||
|
- name: Create user with ssh key
|
||||||
|
user:
|
||||||
|
name: ansibulluser
|
||||||
|
state: present
|
||||||
|
generate_ssh_key: yes
|
||||||
|
ssh_key_file: '{{ ssh_key_file }}'
|
||||||
|
ignore_errors: true
|
||||||
|
register: user_no_force
|
||||||
|
|
||||||
|
- stat: path={{home ~ pub_file}}
|
||||||
|
register: check_pub
|
||||||
|
|
||||||
|
- name: ensure we didn't overwrite
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- check_pub.stat.exists
|
||||||
|
- check_pub.stat.islnk
|
||||||
|
- check_pub.stat.uid == 0
|
||||||
|
|
||||||
|
- name: Create user with ssh key
|
||||||
|
user:
|
||||||
|
name: ansibulluser
|
||||||
|
state: present
|
||||||
|
generate_ssh_key: yes
|
||||||
|
ssh_key_file: '{{ ssh_key_file }}'
|
||||||
|
force: true
|
||||||
|
ignore_errors: true
|
||||||
|
register: user_force
|
||||||
|
|
||||||
|
- stat: path={{home ~ pub_file}}
|
||||||
|
register: check_pub2
|
||||||
|
|
||||||
|
- name: ensure we failed since we didn't force overwrite
|
||||||
|
assert:
|
||||||
|
that:
|
||||||
|
- user_force is success
|
||||||
|
- check_pub2.stat.exists
|
||||||
|
- not check_pub2.stat.islnk
|
||||||
|
- check_pub2.stat.uid != 0
|
||||||
|
always:
|
||||||
|
- name: Clean up files
|
||||||
|
file: path={{ home ~ item }} state=absent
|
||||||
|
loop: '{{ key_files + [flagfile.path] }}'
|
||||||
|
|
||||||
|
- name: Ensure clean/non existsing ansibulluser
|
||||||
|
user: name=ansibulluser state=absent
|
Loading…
Reference in New Issue