diff --git a/lib/ansible/runner/connection_plugins/paramiko_ssh.py b/lib/ansible/runner/connection_plugins/paramiko_ssh.py index e71d0824b6..9e1052b994 100644 --- a/lib/ansible/runner/connection_plugins/paramiko_ssh.py +++ b/lib/ansible/runner/connection_plugins/paramiko_ssh.py @@ -29,6 +29,7 @@ import pipes import socket import random import logging +import tempfile import traceback import fcntl import re @@ -39,7 +40,6 @@ from ansible.callbacks import vvv from ansible import errors from ansible import utils from ansible import constants as C -from ansible.module_utils.basic import atomic_move AUTHENTICITY_MSG=""" paramiko: The authenticity of host '%s' can't be established. @@ -381,7 +381,25 @@ class Connection(object): self.ssh.load_system_host_keys() self.ssh._host_keys.update(self.ssh._system_host_keys) - self._save_ssh_host_keys(self.keyfile) + + # gather information about the current key file, so + # we can ensure the new file has the correct mode/owner + + key_dir = os.path.dirname(self.keyfile) + key_stat = os.stat(self.keyfile) + + # Save the new keys to a temporary file and move it into place + # rather than rewriting the file. We set delete=False because + # the file will be moved into place rather than cleaned up. + + tmp_keyfile = tempfile.NamedTemporaryFile(dir=key_dir, delete=False) + os.chmod(tmp_keyfile.name, key_stat.st_mode & 07777) + os.chown(tmp_keyfile.name, key_stat.st_uid, key_stat.st_gid) + + self._save_ssh_host_keys(tmp_keyfile.name) + tmp_keyfile.close() + + os.rename(tmp_keyfile.name, self.keyfile) except: