-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh_keypair module fails to read private key if mode is set to "0644" #564
Comments
This is the nature of the
using |
Yes, that helps, thank you. I wonder if it's worth to fix documentation to mention usage of cryptography backend with mode, or make auto use cryptograpy not only when passphrase is set, but also switch to it when mode defined. Or well, is there any good reason why cryptography is not picked by default and opensshbin is first choice for auto backend? As even if mode is not set for module, but attributes for file were somehow changed (ie keypair is stored in git which doesn't preserve attributes) error that key can't be decrypted is very confusing. |
|
We could switch the default backend for 3.0.0 (see #559). |
With default "auto" backend, opensshbin is first pick, which fails to read a key in case of insecure permissions. This makes task fail in case private key in topic has mode different from 0600, even if different mode specified for the module itself [1]. Along with switching backend we also adding mode key to be supported [1] ansible-collections/community.crypto#564 Change-Id: I9444ef832136783bde1eff5425e4cd369f905a5c
* Update openstack-ansible-plugins from branch 'master' to 1dbc2985d39fae7c73c741a95a486d9014aa036b - Use cryptography backend for openssh_keypair With default "auto" backend, opensshbin is first pick, which fails to read a key in case of insecure permissions. This makes task fail in case private key in topic has mode different from 0600, even if different mode specified for the module itself [1]. Along with switching backend we also adding mode key to be supported [1] ansible-collections/community.crypto#564 Change-Id: I9444ef832136783bde1eff5425e4cd369f905a5c
With default "auto" backend, opensshbin is first pick, which fails to read a key in case of insecure permissions. This makes task fail in case private key in topic has mode different from 0600, even if different mode specified for the module itself [1]. Along with switching backend we also adding mode key to be supported Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/888437 [1] ansible-collections/community.crypto#564 Change-Id: I9444ef832136783bde1eff5425e4cd369f905a5c (cherry picked from commit 1dbc298)
SUMMARY
In case you chmod ssh private key to mode 644 or define mode to '0644' for the module, it fails to read the private key
ISSUE TYPE
COMPONENT NAME
openssh_keypair
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Ubuntu 22.04, Python 3.10
STEPS TO REPRODUCE
Assuming you have a task:
Then run the task couple of times
EXPECTED RESULTS
Module passes in idempotent manner, preserving mode 644 for files and being able to re-run without failures.
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: