-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openssh_cert: Implement use_agent option to get signing key from ssh-agent #117
openssh_cert: Implement use_agent option to get signing key from ssh-agent #117
Conversation
Please add some integration tests for this mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also need to add a changelog fragment.
Thanks for the feedback. I'll add the tests and changelog fragment and update the pull request. |
… use_agent parameter.
de26725
to
98fdab4
Compare
So, it would seem that signing a cert using a CA stored in the ssh-agent was a feature added in openssh 7.6 and so isn't available on some older linux distros (it seems ubuntu 16.04 and centos 7 and older are the main ones). |
So far we tried to support the lowest common denominator (otherwise we would have dropped pyOpenSSL a long time ago, or support for running these modules under Python 2.6). RHEL 7 (CentOS keeps roughly the same timeline) will be supported until end of June 2024 according to https://access.redhat.com/support/policy/updates/errata/ There likely is a way to check for this feature and then act accordingly, but ideally it would be something that can be bacported in some other way and used on Ubuntu Xenial or CentOS 7 as well, so there's not too much feature disparity. OTOH some features (e.g. handling certain key types, such as ed25519 ones) are only available using the More problematic might be that at least according to https://linux.die.net/man/1/ssh-keygen the As a way forward I guess you can think of a way how you would expect this to behave on e.g. Ubuntu Xenial and what the impact would be in a typical use case (e.g. should the signing key even ever be transferred onto a remote machine?). You could for example argue that the signing should mostly take place on the Ansible control machine, not some host out there and it might be easier for users to upgrade their workstation rather than all their servers. |
I think the most important part is that the user gets a helpful error message if used with a too old ssh-keygen version, and that it doesn't accidentally do something different. That I checked out the git history of openssh-portable. The use of With that information, it should be possible to implement a version test. Unfortunately, ssh-keygen itself seems to be incapable of outputting its version, so |
… use_agent parameter.
98fdab4
to
0459f1f
Compare
… use_agent parameter.
0459f1f
to
40156ca
Compare
… use_agent parameter.
40156ca
to
e81b4a2
Compare
I have added tests and also put in a version check so that if some one attempts to use the use_agent parameter, it will return an error stating that the minimum ssh version is 7.6. I also put version checks on all of the tests so if the tests don't run where they're guaranteed to fail. Please let me know if anything doesn't look right. I tried to make sure I kept all the changes similar to how other things were implemented. Also, is there a standard way to test for a known failure? In the tests, I did one where I expected a failure and just used |
When the module failed, you can check |
277b2fe
to
c5dad4f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! Just two details :)
c5dad4f
to
510930b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@MarkusTeufelberger what do you think?
Yeah, looks good to me. Thanks for implementing the feature @dougstanley! |
@dougstanley thanks a lot for implementing this, especially with tests :) |
Thanks @felixfontein and @MarkusTeufelberger for your help! |
SUMMARY
Implements an additional optional boolean argument to the openssh_cert module called
use_agent
which simply passes the additional-U
flag tossh-keygen
to tell it to look for the signing key in the ssh-agent.Fixes #116
ISSUE TYPE
COMPONENT NAME
openssh_cert
ADDITIONAL INFORMATION