diff --git a/ansible_mitogen/connection.py b/ansible_mitogen/connection.py index 9b6a36a7..30d23a4f 100644 --- a/ansible_mitogen/connection.py +++ b/ansible_mitogen/connection.py @@ -102,6 +102,7 @@ def _connect_ssh(spec): 'port': spec['port'], 'python_path': spec['python_path'], 'identity_file': spec['private_key_file'], + 'identities_only': False, 'ssh_path': spec['ssh_executable'], 'connect_timeout': spec['ansible_ssh_timeout'], 'ssh_args': spec['ssh_args'], diff --git a/docs/api.rst b/docs/api.rst index 9caf3e13..69e3c07b 100644 --- a/docs/api.rst +++ b/docs/api.rst @@ -706,7 +706,7 @@ Router Class :py:class:`mitogen.core.StreamError` to be raised, and that attributes of the stream match the actual behaviour of ``sudo``. - .. method:: ssh (hostname, username=None, ssh_path=None, port=None, check_host_keys='enforce', password=None, identity_file=None, compression=True, \**kwargs) + .. method:: ssh (hostname, username=None, ssh_path=None, port=None, check_host_keys='enforce', password=None, identity_file=None, identities_only=True, compression=True, \**kwargs) Construct a remote context over a ``ssh`` invocation. The ``ssh`` process is started in a newly allocated pseudo-terminal, and supports @@ -744,6 +744,13 @@ Router Class the SSH client to perform authenticaion; agent authentication is automatically disabled, as is reading the default private key from ``~/.ssh/id_rsa``, or ``~/.ssh/id_dsa``. + :param bool identities_only: + If :data:`True` and a password or explicit identity file is + specified, instruct the SSH client to disable any authentication + identities inherited from the surrounding environment, such as + those loaded in any running ``ssh-agent``, or default key files + present in ``~/.ssh``. This ensures authentication attempts only + occur using the supplied password or SSH key. :param bool compression: If :py:data:`True`, enable ``ssh`` compression support. Compression has a minimal effect on the size of modules transmitted, as they diff --git a/docs/changelog.rst b/docs/changelog.rst index 8b13f431..d592b08d 100644 --- a/docs/changelog.rst +++ b/docs/changelog.rst @@ -74,6 +74,10 @@ Mitogen for Ansible * `#344 `_: connections no longer fail when the parent machine's logged in username contains slashes. +* `#345 `_: the ``IdentitiesOnly + yes`` option is no longer supplied to OpenSSH by default, more closely + mimicking Ansible's default behaviour. + * Runs with many targets executed the module dependency scanner redundantly due to missing synchronization, causing significant wasted computation in the connection multiplexer subprocess. For one real-world playbook the scanner @@ -101,6 +105,9 @@ Core Library * `#339 `_: the LXD connection method was erroneously executing LXC Classic commands. +* `#345 `_: the SSH connection method + allows optionally disabling ``IdentitiesOnly yes``. + * Add a :func:`mitogen.fork.on_fork` function to allow non-Mitogen managed process forks to clean up Mitogen resources in the forked chlid. diff --git a/mitogen/ssh.py b/mitogen/ssh.py index 25928b45..38e12531 100644 --- a/mitogen/ssh.py +++ b/mitogen/ssh.py @@ -142,7 +142,7 @@ class Stream(mitogen.parent.Stream): check_host_keys='enforce', password=None, identity_file=None, compression=True, ssh_args=None, keepalive_enabled=True, keepalive_count=3, keepalive_interval=15, - ssh_debug_level=None, **kwargs): + identities_only=True, ssh_debug_level=None, **kwargs): super(Stream, self).construct(**kwargs) if check_host_keys not in ('accept', 'enforce', 'ignore'): raise ValueError(self.check_host_keys_msg) @@ -153,6 +153,7 @@ class Stream(mitogen.parent.Stream): self.check_host_keys = check_host_keys self.password = password self.identity_file = identity_file + self.identities_only = identities_only self.compression = compression self.keepalive_enabled = keepalive_enabled self.keepalive_count = keepalive_count @@ -181,7 +182,7 @@ class Stream(mitogen.parent.Stream): bits += ['-l', self.username] if self.port is not None: bits += ['-p', str(self.port)] - if self.identity_file or self.password: + if self.identities_only and (self.identity_file or self.password): bits += ['-o', 'IdentitiesOnly yes'] if self.identity_file: bits += ['-i', self.identity_file]