Allow multiple keys per host + minor improvements (#716)

* known_hosts: clarify key format in documentation

Add a small clarification to the documentation about the format of the
"key" parameter.
Should make #664 less of a issue for newcomers.

* known_hosts: normalize key entry to simplify input

Keys are normalized before comparing input with present keys. This
should make it easier to deal with some corner cases, such as having a
hashed entry for some host and trying to add it as non-hashed.

* known_hosts: allow multiple entries per host

In order to support multiple key types and allow the installed ssh
version to decide which is more secure, the module now only overwrites
an existing entry in known_hosts if the provided key is of the same
type.
Old keys of different types must be explicitly removed. Setting
state to "absent" and providing no key will remove all entries for the
host.
This commit is contained in:
Leo Antunes 2016-05-23 16:33:52 +02:00 committed by Matt Clay
parent 716e1576d4
commit c0570d275b

View file

@ -23,7 +23,7 @@ DOCUMENTATION = '''
module: known_hosts
short_description: Add or remove a host from the C(known_hosts) file
description:
- The M(known_hosts) module lets you add or remove a host from the C(known_hosts) file.
- The M(known_hosts) module lets you add or remove a host keys from the C(known_hosts) file. Multiple entries per host are allowed, but only one for each key type supported by ssh.
This is useful if you're going to want to use the M(git) module over ssh, for example.
If you have a very large number of host keys to manage, you will find the M(template) module more useful.
version_added: "1.9"
@ -36,7 +36,7 @@ options:
default: null
key:
description:
- The SSH public host key, as a string (required if state=present, optional when state=absent, in which case all keys for the host are removed)
- The SSH public host key, as a string (required if state=present, optional when state=absent, in which case all keys for the host are removed). The key must be in the right format for ssh (see ssh(1), section "SSH_KNOWN_HOSTS FILE FORMAT")
required: false
default: null
path:
@ -46,7 +46,7 @@ options:
default: "(homedir)+/.ssh/known_hosts"
state:
description:
- I(present) to add the host, I(absent) to remove it.
- I(present) to add the host key, I(absent) to remove it.
choices: [ "present", "absent" ]
required: no
default: present
@ -76,6 +76,7 @@ import os
import os.path
import tempfile
import errno
import re
def enforce_state(module, params):
"""
@ -99,24 +100,24 @@ def enforce_state(module, params):
sanity_check(module,host,key,sshkeygen)
current,replace=search_for_host_key(module,host,key,path,sshkeygen)
found,replace_or_add,found_line=search_for_host_key(module,host,key,path,sshkeygen)
#We will change state if current==True & state!="present"
#or current==False & state=="present"
#i.e (current) XOR (state=="present")
#We will change state if found==True & state!="present"
#or found==False & state=="present"
#i.e found XOR (state=="present")
#Alternatively, if replace is true (i.e. key present, and we must change it)
if module.check_mode:
module.exit_json(changed = replace or ((state=="present") != current))
module.exit_json(changed = replace_or_add or (state=="present") != found)
#Now do the work.
#First, remove an extant entry if required
if replace==True or (current==True and state=="absent"):
module.run_command([sshkeygen,'-R',host,'-f',path],
check_rc=True)
#Only remove whole host if found and no key provided
if found and key is None and state=="absent":
module.run_command([sshkeygen,'-R',host,'-f',path], check_rc=True)
params['changed'] = True
#Next, add a new (or replacing) entry
if replace==True or (current==False and state=="present"):
if replace_or_add or found != (state=="present"):
try:
inf=open(path,"r")
except IOError, e:
@ -128,10 +129,13 @@ def enforce_state(module, params):
try:
outf=tempfile.NamedTemporaryFile(dir=os.path.dirname(path))
if inf is not None:
for line in inf:
for line_number, line in enumerate(inf, start=1):
if found_line==line_number and (replace_or_add or state=='absent'):
continue # skip this line to replace its key
outf.write(line)
inf.close()
outf.write(key)
if state == 'present':
outf.write(key)
outf.flush()
module.atomic_move(outf.name,path)
except (IOError,OSError),e:
@ -183,54 +187,76 @@ def sanity_check(module,host,key,sshkeygen):
module.fail_json(msg="Host parameter does not match hashed host field in supplied key")
def search_for_host_key(module,host,key,path,sshkeygen):
'''search_for_host_key(module,host,key,path,sshkeygen) -> (current,replace)
'''search_for_host_key(module,host,key,path,sshkeygen) -> (found,replace_or_add,found_line)
Looks up host in the known_hosts file path; if it's there, looks to see
Looks up host and keytype in the known_hosts file path; if it's there, looks to see
if one of those entries matches key. Returns:
current (Boolean): is host found in path?
replace (Boolean): is the key in path different to that supplied by user?
if current=False, then replace is always False.
found (Boolean): is host found in path?
replace_or_add (Boolean): is the key in path different to that supplied by user?
found_line (int or None): the line where a key of the same type was found
if found=False, then replace is always False.
sshkeygen is the path to ssh-keygen, found earlier with get_bin_path
'''
replace=False
if os.path.exists(path)==False:
return False, False
return False, False, None
#openssh >=6.4 has changed ssh-keygen behaviour such that it returns
#1 if no host is found, whereas previously it returned 0
rc,stdout,stderr=module.run_command([sshkeygen,'-F',host,'-f',path],
check_rc=False)
if stdout=='' and stderr=='' and (rc==0 or rc==1):
return False, False #host not found, no other errors
return False, False, None #host not found, no other errors
if rc!=0: #something went wrong
module.fail_json(msg="ssh-keygen failed (rc=%d,stdout='%s',stderr='%s')" % (rc,stdout,stderr))
#If user supplied no key, we don't want to try and replace anything with it
#If user supplied no key, we don't want to try and replace anything with it
if key is None:
return True, False
return True, False, None
lines=stdout.split('\n')
k=key.strip() #trim trailing newline
#ssh-keygen returns only the host we ask about in the host field,
#even if the key entry has multiple hosts. Emulate this behaviour here,
#otherwise we get false negatives.
#Only necessary for unhashed entries.
if k[0] !='|':
k=k.split()
#The optional "marker" field, used for @cert-authority or @revoked
if k[0][0] == '@':
k[1]=host
else:
k[0]=host
k=' '.join(k)
new_key = normalize_known_hosts_key(key, host)
for l in lines:
if l=='':
if l=='':
continue
if l[0]=='#': #comment
continue
if k==l: #found a match
return True, False #current, not-replace
#No match found, return current and replace
return True, True
elif l[0]=='#': # info output from ssh-keygen; contains the line number where key was found
try:
# This output format has been hardcoded in ssh-keygen since at least OpenSSH 4.0
# It always outputs the non-localized comment before the found key
found_line = int(re.search(r'found: line (\d+)', l).group(1))
except IndexError, e:
module.fail_json(msg="failed to parse output of ssh-keygen for line number: '%s'" % l)
else:
found_key = normalize_known_hosts_key(l,host)
if new_key==found_key: #found a match
return True, False, found_line #found exactly the same key, don't replace
elif new_key['type'] == found_key['type']: # found a different key for the same key type
return True, True, found_line
#No match found, return found and replace, but no line
return True, True, None
def normalize_known_hosts_key(key, host):
'''
Transform a key, either taken from a known_host file or provided by the
user, into a normalized form.
The host part (which might include multiple hostnames or be hashed) gets
replaced by the provided host. Also, any spurious information gets removed
from the end (like the username@host tag usually present in hostkeys, but
absent in known_hosts files)
'''
k=key.strip() #trim trailing newline
k=key.split()
d = dict()
#The optional "marker" field, used for @cert-authority or @revoked
if k[0][0] == '@':
d['options'] = k[0]
d['host']=host
d['type']=k[2]
d['key']=k[3]
else:
d['host']=host
d['type']=k[1]
d['key']=k[2]
return d
def main():