From dfd979eb689c38e423b79f86182b0e0d3ed89c99 Mon Sep 17 00:00:00 2001 From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Date: Fri, 1 Nov 2019 09:57:20 +0100 Subject: [PATCH] Windows SSH key permissions workaround (#1584) * Windows SSH key permissions workaround * Ensure Ansible is not being run in a world writable directory * linting --- config.cfg | 1 + main.yml | 12 ++++++++++++ playbooks/cloud-post.yml | 2 +- playbooks/cloud-pre.yml | 33 +++++++++++++++++++++------------ server.yml | 2 +- 5 files changed, 36 insertions(+), 14 deletions(-) diff --git a/config.cfg b/config.cfg index 34d15f5..2bc9c00 100644 --- a/config.cfg +++ b/config.cfg @@ -132,6 +132,7 @@ congrats: SSH_keys: comment: algo@ssh private: configs/algo.pem + private_tmp: /tmp/algo-ssh.pem public: configs/algo.pem.pub cloud_providers: diff --git a/main.yml b/main.yml index d317430..6f0e9ca 100644 --- a/main.yml +++ b/main.yml @@ -2,6 +2,18 @@ - hosts: localhost become: false tasks: + - name: Playbook dir stat + stat: + path: "{{ playbook_dir }}" + register: _playbook_dir + + - name: Ensure Ansible is not being run in a world writable directory + assert: + that: _playbook_dir.stat.mode|int <= 0775 + msg: > + Ansible is being run in a world writable directory ({{ playbook_dir }}), ignoring it as an ansible.cfg source. + For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir + - name: Ensure the requirements installed debug: msg: "{{ '' | ipaddr }}" diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml index ad81291..78eb607 100644 --- a/playbooks/cloud-post.yml +++ b/playbooks/cloud-post.yml @@ -23,7 +23,7 @@ - name: Additional variables for the server add_host: name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}" - ansible_ssh_private_key_file: "{{ SSH_keys.private }}" + ansible_ssh_private_key_file: "{{ SSH_keys.private_tmp }}" when: algo_provider != 'local' - name: Wait until SSH becomes ready... diff --git a/playbooks/cloud-pre.yml b/playbooks/cloud-pre.yml index fb0dee0..44259bd 100644 --- a/playbooks/cloud-pre.yml +++ b/playbooks/cloud-pre.yml @@ -29,17 +29,26 @@ delegate_to: localhost become: false -- name: Generate the SSH private key - openssl_privatekey: - path: "{{ SSH_keys.private }}" - size: 2048 - mode: "0600" - type: RSA - when: algo_provider != "local" +- block: + - name: Generate the SSH private key + openssl_privatekey: + path: "{{ SSH_keys.private }}" + size: 2048 + mode: "0600" + type: RSA + + - name: Generate the SSH public key + openssl_publickey: + path: "{{ SSH_keys.public }}" + privatekey_path: "{{ SSH_keys.private }}" + format: OpenSSH -- name: Generate the SSH public key - openssl_publickey: - path: "{{ SSH_keys.public }}" - privatekey_path: "{{ SSH_keys.private }}" - format: OpenSSH + - name: Copy the private SSH key to /tmp + copy: + src: "{{ SSH_keys.private }}" + dest: "{{ SSH_keys.private_tmp }}" + force: true + mode: '0600' + delegate_to: localhost + become: false when: algo_provider != "local" diff --git a/server.yml b/server.yml index 0eb7866..b46b650 100644 --- a/server.yml +++ b/server.yml @@ -41,7 +41,7 @@ server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }} server_user: {{ ansible_ssh_user }} {% if algo_provider != "local" %} - ansible_ssh_private_key_file: {{ ansible_ssh_private_key_file|default(SSH_keys.private) }} + ansible_ssh_private_key_file: {{ SSH_keys.private }} {% endif %} algo_provider: {{ algo_provider }} algo_server_name: {{ algo_server_name }}