helper/ssh: error if private key on SSH [GH-73]

2014-08-05 09:53:02 -07:00 · 2014-08-05 09:53:02 -07:00 · a74775d077
parent 642fed0356
commit a74775d077
2 changed files with 22 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -14,17 +14,19 @@ BUG FIXES:

  * core: Default variable file "terraform.tfvars" is auto-loaded. [GH-59]
  * providers/cloudflare: Include the proper bins so the cloudflare
-    provider is compiled
+      provider is compiled
  * providers/aws: Engine version for RDS now properly set [GH-118]
  * providers/aws: Security groups now depend on each other and
  * providers/aws: DB instances now wait for destroys, have proper
-    dependencies and allow passing skip_final_snapshot
+      dependencies and allow passing skip_final_snapshot
  * providers/aws: Add associate_public_ip_address as an attribute on
-    the aws_instance resource [GH-85]
+      the aws_instance resource [GH-85]
  * providers/aws: Fix cidr blocks being updated [GH-65, GH-85]
  * providers/aws: Description is now required for security groups
  * providers/digitalocean: Private IP addresses are now a separate
-    attribute
+      attribute
+  * provisioner/all: If an SSH key is given with a password, a better
+      error message is shown. [GH-73]

 ## 0.1.0 (July 28, 2014)

--- a/helper/ssh/provisioner.go
+++ b/helper/ssh/provisioner.go
@ -1,6 +1,7 @@
 package ssh

 import (
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"log"
@ -105,10 +106,25 @@ func PrepareConfig(conf *SSHConfig) (*Config, error) {
 		if err != nil {
 			return nil, fmt.Errorf("Failed to read key file '%s': %v", conf.KeyFile, err)
 		}
+
+		// We parse the private key on our own first so that we can
+		// show a nicer error if the private key has a password.
+		block, _ := pem.Decode(key)
+		if block == nil {
+			return nil, fmt.Errorf(
+				"Failed to read key '%s': no key found", conf.KeyFile)
+		}
+		if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
+			return nil, fmt.Errorf(
+				"Failed to read key '%s': password protected keys are\n"+
+					"not supported. Please decrypt the key prior to use.", conf.KeyFile)
+		}
+
 		signer, err := ssh.ParsePrivateKey(key)
 		if err != nil {
 			return nil, fmt.Errorf("Failed to parse key file '%s': %v", conf.KeyFile, err)
 		}
+
 		sshConf.Auth = append(sshConf.Auth, ssh.PublicKeys(signer))
 	}
 	if conf.Password != "" {