openssh_keypair - Add logic to handle password protected or broken key (#64436)

* The ssh key may be created manually prior the task execution with a
  passphrase. And the task will be executed on the same key.
* The ssh key may be broken and not usable.

The module will check the private key and if the key is password
protected or broken, it will be overridden.
The check of the ssh key performed by retrieve the public key from the
private key.

Set the "self.force" check before the "isPrivateKeyValid" check.
In case of any issue with the "isPrivateKeyValid" function, the user
will be able to force the regeneration of the key with the "force: yes"
argument.
pull/65421/head
Maxim Babushkin 5 years ago committed by Felix Fontein
parent a0b8b85fa5
commit da73bbd73c

@ -0,0 +1,2 @@
bugfixes:
- openssh_keypair - add logic to handle password protected or broken key

@ -63,6 +63,8 @@ options:
- Provides a new comment to the public key. When checking if the key is in the correct state this will be ignored. - Provides a new comment to the public key. When checking if the key is in the correct state this will be ignored.
type: str type: str
version_added: "2.9" version_added: "2.9"
notes:
- In case the ssh key is broken or password protected, it will be regenerated.
extends_documentation_fragment: files extends_documentation_fragment: files
''' '''
@ -171,7 +173,7 @@ class Keypair(object):
def generate(self, module): def generate(self, module):
# generate a keypair # generate a keypair
if not self.isPrivateKeyValid(module, perms_required=False) or self.force: if self.force or not self.isPrivateKeyValid(module, perms_required=False):
args = [ args = [
module.get_bin_path('ssh-keygen', True), module.get_bin_path('ssh-keygen', True),
'-q', '-q',
@ -240,7 +242,17 @@ class Keypair(object):
def _check_state(): def _check_state():
return os.path.exists(self.path) return os.path.exists(self.path)
def _check_pass_protected_or_broken_key():
key_state = module.run_command([module.get_bin_path('ssh-keygen', True),
'-P', '', '-yf', self.path], check_rc=False)
if 'incorrect passphrase' in key_state[2] or 'load failed' in key_state[2]:
return True
return False
if _check_state(): if _check_state():
if _check_pass_protected_or_broken_key():
return False
proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False) proc = module.run_command([module.get_bin_path('ssh-keygen', True), '-lf', self.path], check_rc=False)
if not proc[0] == 0: if not proc[0] == 0:
if os.path.isdir(self.path): if os.path.isdir(self.path):

@ -84,4 +84,12 @@
comment: 'test_modified@privatekey7' comment: 'test_modified@privatekey7'
register: privatekey7_modified_result register: privatekey7_modified_result
- name: Generate password protected key
command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N password'
- name: Try to modify the password protected key - should be overridden
openssh_keypair:
path: '{{ output_dir }}/privatekey8'
register: privatekey8_result
- import_tasks: ../tests/validate.yml - import_tasks: ../tests/validate.yml

@ -112,3 +112,8 @@
assert: assert:
that: that:
- privatekey7_modified_result.comment == 'test_modified@privatekey7' - privatekey7_modified_result.comment == 'test_modified@privatekey7'
- name: Check that password protected key has been regenerated
assert:
that:
- privatekey8_result is changed

Loading…
Cancel
Save