issue #345: disable IdentitiesOnly by default.

6 years ago · bce4f59138
parent e84de489eb
commit bce4f59138
4 changed files with 19 additions and 3 deletions
--- a/ansible_mitogen/connection.py
+++ b/ansible_mitogen/connection.py
@ -102,6 +102,7 @@ def _connect_ssh(spec):
            'port': spec['port'],
            'python_path': spec['python_path'],
            'identity_file': spec['private_key_file'],
+            'identities_only': False,
            'ssh_path': spec['ssh_executable'],
            'connect_timeout': spec['ansible_ssh_timeout'],
            'ssh_args': spec['ssh_args'],
--- a/docs/api.rst
+++ b/docs/api.rst
@ -706,7 +706,7 @@ Router Class
            :py:class:`mitogen.core.StreamError` to be raised, and that
            attributes of the stream match the actual behaviour of ``sudo``.

-    .. method:: ssh (hostname, username=None, ssh_path=None, port=None, check_host_keys='enforce', password=None, identity_file=None, compression=True, \**kwargs)
+    .. method:: ssh (hostname, username=None, ssh_path=None, port=None, check_host_keys='enforce', password=None, identity_file=None, identities_only=True, compression=True, \**kwargs)

        Construct a remote context over a ``ssh`` invocation. The ``ssh``
        process is started in a newly allocated pseudo-terminal, and supports
@ -744,6 +744,13 @@ Router Class
            the SSH client to perform authenticaion; agent authentication is
            automatically disabled, as is reading the default private key from
            ``~/.ssh/id_rsa``, or ``~/.ssh/id_dsa``.
+        :param bool identities_only:
+            If :data:`True` and a password or explicit identity file is
+            specified, instruct the SSH client to disable any authentication
+            identities inherited from the surrounding environment, such as
+            those loaded in any running ``ssh-agent``, or default key files
+            present in ``~/.ssh``. This ensures authentication attempts only
+            occur using the supplied password or SSH key.
        :param bool compression:
            If :py:data:`True`, enable ``ssh`` compression support. Compression
            has a minimal effect on the size of modules transmitted, as they
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@ -74,6 +74,10 @@ Mitogen for Ansible
 * `#344 <https://github.com/dw/mitogen/issues/344>`_: connections no longer
  fail when the parent machine's logged in username contains slashes.

+* `#345 <https://github.com/dw/mitogen/issues/345>`_: the ``IdentitiesOnly
+  yes`` option is no longer supplied to OpenSSH by default, more closely
+  mimicking Ansible's default behaviour.
+
 * Runs with many targets executed the module dependency scanner redundantly
  due to missing synchronization, causing significant wasted computation in the
  connection multiplexer subprocess. For one real-world playbook the scanner
@ -101,6 +105,9 @@ Core Library
 * `#339 <https://github.com/dw/mitogen/issues/339>`_: the LXD connection method
  was erroneously executing LXC Classic commands.

+* `#345 <https://github.com/dw/mitogen/issues/345>`_: the SSH connection method
+  allows optionally disabling ``IdentitiesOnly yes``.
+
 * Add a :func:`mitogen.fork.on_fork` function to allow non-Mitogen managed
  process forks to clean up Mitogen resources in the forked chlid.

--- a/mitogen/ssh.py
+++ b/mitogen/ssh.py
@ -142,7 +142,7 @@ class Stream(mitogen.parent.Stream):
                  check_host_keys='enforce', password=None, identity_file=None,
                  compression=True, ssh_args=None, keepalive_enabled=True,
                  keepalive_count=3, keepalive_interval=15,
-                  ssh_debug_level=None, **kwargs):
+                  identities_only=True, ssh_debug_level=None, **kwargs):
        super(Stream, self).construct(**kwargs)
        if check_host_keys not in ('accept', 'enforce', 'ignore'):
            raise ValueError(self.check_host_keys_msg)
@ -153,6 +153,7 @@ class Stream(mitogen.parent.Stream):
        self.check_host_keys = check_host_keys
        self.password = password
        self.identity_file = identity_file
+        self.identities_only = identities_only
        self.compression = compression
        self.keepalive_enabled = keepalive_enabled
        self.keepalive_count = keepalive_count
@ -181,7 +182,7 @@ class Stream(mitogen.parent.Stream):
            bits += ['-l', self.username]
        if self.port is not None:
            bits += ['-p', str(self.port)]
-        if self.identity_file or self.password:
+        if self.identities_only and (self.identity_file or self.password):
            bits += ['-o', 'IdentitiesOnly yes']
        if self.identity_file:
            bits += ['-i', self.identity_file]