From cc334a078b5d47151d9d472b5f1494110228ceec Mon Sep 17 00:00:00 2001 From: David Wittman Date: Mon, 28 Nov 2016 14:55:01 -0600 Subject: [PATCH] Set IdentitiesOnly=yes when using key_file (#5682) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sets the SSH option `IdentitiesOnly=yes` in the SSH wrapper when a `key_file` is provided to the git module. This option ensures that the provided key is used. Otherwise, the system's ssh-agent could provide undesired identities when connecting. From ssh_config(5): > Specifies that ssh(1) should only use the authentication identity and > certificate files explicitly configured in the ssh_config files or > passed on the ssh(1) command-line, even if ssh-agent(1) or a > PKCS11Provider offers more identities. The argument to this keyword > must be “yes” or “no”. This option is intended for situations where > ssh-agent offers many different identities. The default is “no”. --- lib/ansible/modules/source_control/git.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ansible/modules/source_control/git.py b/lib/ansible/modules/source_control/git.py index 7b076576896..5a4f66a6abf 100644 --- a/lib/ansible/modules/source_control/git.py +++ b/lib/ansible/modules/source_control/git.py @@ -320,7 +320,7 @@ fi if [ -z "$GIT_KEY" ]; then ssh $BASEOPTS "$@" else - ssh -i "$GIT_KEY" $BASEOPTS "$@" + ssh -i "$GIT_KEY" -o IdentitiesOnly=yes $BASEOPTS "$@" fi """ fh.write(template)