mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Adding support for hashed known_hosts entries
Fixes Issue #3716 - SSH known host checking needs to understand hashed known hosts
This commit is contained in:
parent
d485abe2e7
commit
ba38d6bc16
1 changed files with 18 additions and 2 deletions
|
@ -23,7 +23,9 @@ import pipes
|
||||||
import random
|
import random
|
||||||
import select
|
import select
|
||||||
import fcntl
|
import fcntl
|
||||||
|
import hmac
|
||||||
import pwd
|
import pwd
|
||||||
|
from hashlib import sha1
|
||||||
import ansible.constants as C
|
import ansible.constants as C
|
||||||
from ansible.callbacks import vvv
|
from ansible.callbacks import vvv
|
||||||
from ansible import errors
|
from ansible import errors
|
||||||
|
@ -39,6 +41,7 @@ class Connection(object):
|
||||||
self.user = user
|
self.user = user
|
||||||
self.password = password
|
self.password = password
|
||||||
self.private_key_file = private_key_file
|
self.private_key_file = private_key_file
|
||||||
|
self.HASHED_KEY_MAGIC = "|1|"
|
||||||
|
|
||||||
def connect(self):
|
def connect(self):
|
||||||
''' connect to the remote host '''
|
''' connect to the remote host '''
|
||||||
|
@ -105,8 +108,21 @@ class Connection(object):
|
||||||
if line is None or line.find(" ") == -1:
|
if line is None or line.find(" ") == -1:
|
||||||
continue
|
continue
|
||||||
tokens = line.split()
|
tokens = line.split()
|
||||||
if host in tokens[0]:
|
if tokens[0].find(self.HASHED_KEY_MAGIC) == 0:
|
||||||
return False
|
# this is a hashed known host entry
|
||||||
|
try:
|
||||||
|
(kn_salt,kn_host) = tokens[0][len(self.HASHED_KEY_MAGIC):].split("|",2)
|
||||||
|
hash = hmac.new(kn_salt.decode('base64'), digestmod=sha1)
|
||||||
|
hash.update(host)
|
||||||
|
if hash.digest() == kn_host.decode('base64'):
|
||||||
|
return False
|
||||||
|
except:
|
||||||
|
# invalid hashed host key, skip it
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
# standard host file entry
|
||||||
|
if host in tokens[0]:
|
||||||
|
return False
|
||||||
return True
|
return True
|
||||||
|
|
||||||
def exec_command(self, cmd, tmp_path, sudo_user,sudoable=False, executable='/bin/sh'):
|
def exec_command(self, cmd, tmp_path, sudo_user,sudoable=False, executable='/bin/sh'):
|
||||||
|
|
Loading…
Reference in a new issue