Commit Graph

93 Commits

Author SHA1 Message Date
James Bardin 590615f7c3 update communicators to use legacy types 2020-12-02 12:16:35 -05:00
hhofs 5b99a56fde
communicator/ssh: Add support for Windows targets (#26865) 2020-11-12 10:00:48 -05:00
Kristin Laemmert d4ec69cfb3
communicator/winrm: include configured timeout in winrm server
* upgrade windows dependencies
* communicator/winrm: include configured timeout in winrm server
2020-06-25 08:41:09 -04:00
James Bardin fd1904983b
Merge pull request #24080 from fabiomatavelli/b-fix-remote-exec
ssh: return error if host is empty
2020-06-16 16:31:50 -04:00
Sander van Harmelen 9453308c78 Make sure the WinRM communicator can reconnect 2020-05-05 16:18:30 -04:00
Sander van Harmelen a614056925 Refactor the code a bit to make it more idiomatic 2020-05-01 08:58:33 -04:00
Fábio Matavelli aefdef1044 Add missing host to communicator test 2020-02-12 10:49:58 +00:00
Fábio Matavelli 48c187efe8 Add invalid host test 2020-02-12 10:07:17 +00:00
Fábio Matavelli 18f72b1cb7 Fix communicator test 2020-02-12 10:06:30 +00:00
Fábio Matavelli c9ea93308a ssh: return error if host is empty 2020-02-11 21:18:04 +00:00
Jaime Caamaño Ruiz c3a61a040e ssh: Fix deadlock on agent forwarding error
If there is an error when opening the session for agent forwarding in
the process ssh connention, there is a deadlock when recursively
calling Connect on an internal reattempt. Avoid that, and let the
connection be reattempted externally.
2019-12-12 18:16:17 +01:00
James Bardin 1ccf1bd9a2
Update communicator/ssh/communicator.go
Co-Authored-By: Kristin Laemmert <mildwonkey@users.noreply.github.com>
2019-10-02 15:03:18 -04:00
James Bardin bbde7e3e35 copy client pointer for keep-alive loop
If a connection fails and attempts to reconnect after the keep-alive
loop started, the client will be pulled out from under the keep-alive
requests. Close over a local copy of the client, so that reconnecting
doesn't race with the keepalive loop terminating.
2019-10-02 13:42:22 -04:00
Mark 3031aca971 Add SSH cert authentication method for connection via Bastion 2019-07-21 09:32:48 +03:00
Ahmon Dancy f9db6651b8 Improve ssh connection debug messages
1) Mention the host and port in the "Connecting..." message.

2) Mention the username in the post-connection handshaking message.

3) If handshaking fails, mention the user, host, and port in the error
   message that will eventually be returned to the user.
2019-07-19 08:49:00 -07:00
James Bardin 780ca17884 use keepalive replies to detect dead connections
An ssh server should always send a reply packet to the keepalive
request. If we miss those replies for over 2min, consider the connection
dead and abort, rather than block the provisioner indefinitely.
2019-07-11 09:44:22 -04:00
Justin Downing 1e32ae243c grammatical updates to comments and docs (#20195) 2019-03-21 14:05:41 -07:00
James Bardin bd28b996db
Merge pull request #20449 from hashicorp/jbardin/ssh-keepalive
fix test that diverged between 2 merges
2019-02-22 20:55:01 -05:00
James Bardin 830a00b6b8 fix test that diverged between 2 merges 2019-02-22 20:41:37 -05:00
James Bardin 929231a2e9
Merge pull request #20437 from hashicorp/jbardin/ssh-keepalive
add ssh keepalive messages to communicator
2019-02-22 20:16:45 -05:00
Sherod Taylor c456d9608b updated ssh authentication and testing for ssh 2019-02-22 14:30:50 -05:00
James Bardin b5384100a6 add ssh keepalive messages to communicator
Long running remote-exec commands with no output may be cutoff during
execution. Enable ssh keepalives for all ssh connections.
2019-02-22 14:03:15 -05:00
James Bardin 6cac02df14 print scp error before exiting on error code
See if there is any additional stderr output before exiting, since it
can be helpful in addition to the error status.
2019-02-21 13:42:46 -05:00
James Bardin f68a1a9c76 remove ssh private key contents from errors
A misformatted private key may fail to parse correctly, but might still
contain sensitive data. Don't display the private key in any error
messages.
2019-02-20 15:05:19 -05:00
Eamon Hetherton d1c301bc2d Fix winrm default ssl port (#19540)
* Update provisioner.go

Changed the default port used for winrm when https is specified
2018-12-12 18:19:02 -05:00
James Bardin abfb43555a connect communicator during Start
Match the tested behavior, and that of the ssh implementation, where the
communicator automatically connects when starting a command.

Remove unused import from legacy dependency handling.
2018-04-05 12:54:58 -04:00
James Bardin 82a4552030 use Run instead of Shell.Execute in winrm
The error from a remote command is not exported, and only exposed via
the Run method. Otherwise the Run method works exactly like the
runCommand function being removed.
2018-04-05 12:54:58 -04:00
James Bardin 3c30f04e0e fix ssh logging
Ensure correct formatting and add a log level to all output.
2018-04-05 12:54:58 -04:00
Joe Khoobyar 138e64dee0 more unit tests 2018-03-30 22:05:10 -04:00
Joe Khoobyar 9766cc0aa5 added unit tests 2018-03-30 22:01:49 -04:00
Joe Khoobyar 481be9da35 code reformatted with gofmt 2018-03-30 21:45:09 -04:00
Joe Khoobyar d7cb9baa43 cleaner initialization of winrmcp 2018-03-30 21:32:46 -04:00
Joe Khoobyar 852a74c49d first attempt at supporting NTLM authentication in Terraform 2018-03-30 21:11:53 -04:00
James Bardin 943972cd8f retry ssh authentication failures
Most of the time an ssh authentication failure would be non-recoverable,
but some host images can start the ssh service before it is properly
configured, or before user authentication data is available.

Log ssh authentication errors and allow the provisioner to retry until
the connection timeout.
2018-03-30 15:23:24 -04:00
James Bardin e9e4ee4940
Merge pull request #17609 from hashicorp/jbardin/remote-command
clean up remote.Cmd api
2018-03-23 17:34:06 -04:00
James Bardin ad8642e2c2 have remote.ExitError format errors and status
Since all use cases of ExitStatus are just putting it into fmt.Errorf,
usually with the command string, have ExitStatus do that for the caller.
2018-03-23 11:36:57 -04:00
James Bardin 2954d9849a add some more functionality to MockCommunicator 2018-03-20 14:23:32 -04:00
James Bardin 3fbdee0777 clean up remote.Cmd api
Combine the ExitStatus and Err values from remote.Cmd into an error
returned by Wait, better matching the behavior of the os/exec package.

Non-zero exit codes are returned from Wait as a remote.ExitError.
Communicator related errors are returned directly.

Clean up all the error handling in the provisioners using a
communicator. Also remove the extra copyOutput synchronization that was
copied from package to package.
2018-03-16 14:29:48 -04:00
James Bardin 2d7dc605a0 get communicator errors from a remote.Cmd
The remote.Cmd struct could not convey any transport related error to
the caller, meaning that interrupted commands would show that they
succeeded.

Change Cmd.SetExited to accept an exit status, as well as an error to
store for the caller.  Make the status and error fields internal,
require serialized access through the getter methods.

Users of remote.Cmd should not check both Cmd.Err() and Cmd.ExitStatus()
until after Wait returns.

Require communicators to call Cmd.Init before executing the command.
This will indicate incorrect usage of the remote.Cmd by causing a panic
in SetExitStatus.
2018-03-15 16:03:20 -04:00
James Bardin e41b29d096
Merge pull request #17354 from hashicorp/jbardin/known_hosts
Verify host keys in ssh connections
2018-02-15 18:33:41 -05:00
James Bardin c1b35ad69b have the ssh communicator return fatal errors
This will let the retry loop abort when there are errors which aren't
going to ever be corrected.
2018-02-15 16:14:33 -05:00
James Bardin e06f76b90f Fix type assertion when loading stored error
Fix a bug where the last error was not retrieved from errVal.Load
due to an incorrect type assertion.
2018-02-15 15:59:34 -05:00
James Bardin bc90eca19f add the remote-exec retry function to communicator
Every provisioner that uses communicator implements its own retryFunc.
Take the remote-exec implementation (since it's the most complete) and
put it in the communicator package for each provisioner to use.

Add a public interface `communicator.Fatal`, which can wrap an error to
indicate a fatal error that should not be retried.
2018-02-14 18:18:12 -05:00
James Bardin bdfa97dbdb add tests for signed host certs
This checks that we can verify host certificates signed by a CA
2018-02-14 15:35:41 -05:00
James Bardin 1e7fd1c4ea add test for host key validation
This tests basic known_hosts validation for the ssh communicator.
2018-02-14 15:35:41 -05:00
James Bardin 1a68fdb4f6 add support for ssh host key checking
Add `host_key` and `bastion_host_key` fields to the ssh communicator
config for strict host key checking.

Both fields expect the contents of an openssh formated public key. This
key can either be the remote host's public key, or the public key of the
CA which signed the remote host certificate.

Support for signed certificates is limited, because the provisioner
usually connects to a remote host by ip address rather than hostname, so
the certificate would need to be signed appropriately. Connecting via
a hostname needs to currently be done through a secondary provisioner,
like one attached to a null_resource.
2018-02-14 15:35:41 -05:00
James Bardin daf05e65e0 test identity file parsing 2017-12-26 16:27:18 -05:00
James Bardin 8c8847e1cf sort ssh agent signers by requested id
It's becoming more common for users to have many ssh keys loaded into an
agent, and with the default max auth attempts of an openssh server at 6,
one often needs to specify which id to use in order to avoid a `too many
authentication failures` error.

Add a connection field called `agent_identity` which will function
similarly to the ssh_config IdentityFile when used in conjunction with
an ssh agent. This uses `agent_identity` rather than `identity_file` to
specify that the file is not used directly for authentication, rather
it's used to choose which identity returned from the agent to
authenticate with first.

This feature tries a number of different methods to match the agent
identity. First the provisioner attempts to read the id file and extract
the public key. If that isn't available, we look for a .pub authorized
key file. Either of these will result in a public key that can be
matched directly against the agent keys. Finally we fall back to
matching the comment string exactly, and the id as a suffix. The only
result of using the agent_identity is the reordering of the public keys
used for authentication, and if there is no exact match the client
will still attempt remaining keys until there is an error.
2017-12-26 16:27:18 -05:00
jd3nn1s 21c9c2ce00 communicator/winrm: pass cacert option correctly
It appears that the cacert option for the winrm provisioner was
not getting passed correctly to the winrm package. Log output
showed that CACert was false regardless of configuration.

While the validation of the connector looked for cacert, the winrm
communicator looked for ca_cert.
2017-10-23 13:28:41 -07:00
Adam Shannon c9c2823f62 communicator/ssh: add what error details we can for the user
ssh.Waitmsg's String() method provides output which can include the
process status, signal, and message
2017-10-03 09:06:02 -05:00