1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00

Adding support for hashed known_hosts entries

Fixes Issue #3716 - SSH known host checking needs to understand
hashed known hosts
This commit is contained in:
James Cammarata 2013-08-02 11:08:02 -05:00
parent d485abe2e7
commit ba38d6bc16

View file

@ -23,7 +23,9 @@ import pipes
import random import random
import select import select
import fcntl import fcntl
import hmac
import pwd import pwd
from hashlib import sha1
import ansible.constants as C import ansible.constants as C
from ansible.callbacks import vvv from ansible.callbacks import vvv
from ansible import errors from ansible import errors
@ -39,6 +41,7 @@ class Connection(object):
self.user = user self.user = user
self.password = password self.password = password
self.private_key_file = private_key_file self.private_key_file = private_key_file
self.HASHED_KEY_MAGIC = "|1|"
def connect(self): def connect(self):
''' connect to the remote host ''' ''' connect to the remote host '''
@ -105,8 +108,21 @@ class Connection(object):
if line is None or line.find(" ") == -1: if line is None or line.find(" ") == -1:
continue continue
tokens = line.split() tokens = line.split()
if host in tokens[0]: if tokens[0].find(self.HASHED_KEY_MAGIC) == 0:
return False # this is a hashed known host entry
try:
(kn_salt,kn_host) = tokens[0][len(self.HASHED_KEY_MAGIC):].split("|",2)
hash = hmac.new(kn_salt.decode('base64'), digestmod=sha1)
hash.update(host)
if hash.digest() == kn_host.decode('base64'):
return False
except:
# invalid hashed host key, skip it
continue
else:
# standard host file entry
if host in tokens[0]:
return False
return True return True
def exec_command(self, cmd, tmp_path, sudo_user,sudoable=False, executable='/bin/sh'): def exec_command(self, cmd, tmp_path, sudo_user,sudoable=False, executable='/bin/sh'):