From ba38d6bc1684bc0a30a3cd06e4e9927e0e162dec Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Fri, 2 Aug 2013 11:08:02 -0500 Subject: [PATCH] Adding support for hashed known_hosts entries Fixes Issue #3716 - SSH known host checking needs to understand hashed known hosts --- lib/ansible/runner/connection_plugins/ssh.py | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/lib/ansible/runner/connection_plugins/ssh.py b/lib/ansible/runner/connection_plugins/ssh.py index 127661285b..a27b8de51c 100644 --- a/lib/ansible/runner/connection_plugins/ssh.py +++ b/lib/ansible/runner/connection_plugins/ssh.py @@ -23,7 +23,9 @@ import pipes import random import select import fcntl +import hmac import pwd +from hashlib import sha1 import ansible.constants as C from ansible.callbacks import vvv from ansible import errors @@ -39,6 +41,7 @@ class Connection(object): self.user = user self.password = password self.private_key_file = private_key_file + self.HASHED_KEY_MAGIC = "|1|" def connect(self): ''' connect to the remote host ''' @@ -105,8 +108,21 @@ class Connection(object): if line is None or line.find(" ") == -1: continue tokens = line.split() - if host in tokens[0]: - return False + if tokens[0].find(self.HASHED_KEY_MAGIC) == 0: + # this is a hashed known host entry + try: + (kn_salt,kn_host) = tokens[0][len(self.HASHED_KEY_MAGIC):].split("|",2) + hash = hmac.new(kn_salt.decode('base64'), digestmod=sha1) + hash.update(host) + if hash.digest() == kn_host.decode('base64'): + return False + except: + # invalid hashed host key, skip it + continue + else: + # standard host file entry + if host in tokens[0]: + return False return True def exec_command(self, cmd, tmp_path, sudo_user,sudoable=False, executable='/bin/sh'):