Commit Graph

17 Commits

Author SHA1 Message Date
Mark 3031aca971 Add SSH cert authentication method for connection via Bastion 2019-07-21 09:32:48 +03:00
Sherod Taylor c456d9608b updated ssh authentication and testing for ssh 2019-02-22 14:30:50 -05:00
James Bardin f68a1a9c76 remove ssh private key contents from errors
A misformatted private key may fail to parse correctly, but might still
contain sensitive data. Don't display the private key in any error
messages.
2019-02-20 15:05:19 -05:00
James Bardin 1a68fdb4f6 add support for ssh host key checking
Add `host_key` and `bastion_host_key` fields to the ssh communicator
config for strict host key checking.

Both fields expect the contents of an openssh formated public key. This
key can either be the remote host's public key, or the public key of the
CA which signed the remote host certificate.

Support for signed certificates is limited, because the provisioner
usually connects to a remote host by ip address rather than hostname, so
the certificate would need to be signed appropriately. Connecting via
a hostname needs to currently be done through a secondary provisioner,
like one attached to a null_resource.
2018-02-14 15:35:41 -05:00
James Bardin 8c8847e1cf sort ssh agent signers by requested id
It's becoming more common for users to have many ssh keys loaded into an
agent, and with the default max auth attempts of an openssh server at 6,
one often needs to specify which id to use in order to avoid a `too many
authentication failures` error.

Add a connection field called `agent_identity` which will function
similarly to the ssh_config IdentityFile when used in conjunction with
an ssh agent. This uses `agent_identity` rather than `identity_file` to
specify that the file is not used directly for authentication, rather
it's used to choose which identity returned from the agent to
authenticate with first.

This feature tries a number of different methods to match the agent
identity. First the provisioner attempts to read the id file and extract
the public key. If that isn't available, we look for a .pub authorized
key file. Either of these will result in a public key that can be
matched directly against the agent keys. Finally we fall back to
matching the comment string exactly, and the id as a suffix. The only
result of using the agent_identity is the reordering of the public keys
used for authentication, and if there is no exact match the client
will still attempt remaining keys until there is an error.
2017-12-26 16:27:18 -05:00
James Bardin 8174037a2b Remove deprecated key_file and bastion_key_file
These were deprecated in the 0.6.x series. Their functionality was broken
in a recent release which whould have removed them as well.
2016-10-12 14:30:09 -04:00
Sander van Harmelen 968472a63e Support recreating clients and configuring Chef Vaults (#8577)
Fixes #3605 and adds the functionality suggested in PR #7440.

This PR is using a different appraoch that (IMHO) feels cleaner and (even more important) adds support for Windows at the same time.
2016-09-15 14:20:18 +02:00
Kristinn Örn Sigurðsson bc5518f993 provisioners: Allow provisioning over IPv6 2016-09-03 15:45:24 -07:00
Sander van Harmelen c72342eefc Add SSH agent support for Windows
The Windows support is limited to the Pageant SSH authentication agent.
This fixes #3423
2015-12-15 16:39:23 +01:00
Paul Hinze b6aed3fec3 communicator/ssh: fix typos travis didn't catch
I think rebasing and splitting got me into a weird state. This should
fix the build failures on master.
2015-11-12 16:00:28 -06:00
Paul Hinze 7ffa66d1a5 ssh: accept private key contents instead of path
We've been moving away from config fields expecting file paths that
Terraform will load, instead prefering fields that expect file contents,
leaning on `file()` to do loading from a path.

This helps with consistency and also flexibility - since this makes it
easier to shift sensitive files into environment variables.

Here we add a little helper package to manage the transitional period
for these fields where we support both behaviors.

Also included is the first of several fields being shifted over - SSH
private keys in provisioner connection config.

We're moving to new field names so the behavior is more intuitive, so
instead of `key_file` it's `private_key` now.

Additional field shifts will be included in follow up PRs so they can be
reviewed and discussed individually.
2015-11-12 14:59:14 -06:00
Paul Hinze 801aaf1eec communicator/ssh: sort agent after static keyfile
In the SSH client configuration, we had SSH Agent authentication listed
before the static PrivateKey loaded from the `key_file` setting.
Switching the default of the `agent` setting exposed the fact that the
SSH agent overrides the `key_file` during the handshake. By listing the
`key_file` first, we catch the provided key before any query goes out to
the agent.

Adds a key-based authentication SSH test to cover this new behavior. It
fails without the reordering on any machine with an SSH agent running.

Fixes #2614
2015-07-02 15:41:23 -05:00
Paul Hinze a7cbbbd258 communicator/ssh: bastion host support
* adds `bastion_*` fields to `connection` which add configuration for a
   bastion host
 * if `bastion_host` is set, connect to that host first, then jump
   through it to make the SSH connection to `host`
 * enables SSH Agent forwarding by default
2015-06-22 18:00:18 -05:00
Paul Hinze 44de0996c5 communicator/ssh: switch agent default to true
This changes SSH Agent utilization from opt-in to opt-out, bringing
Terraform in line with the behavior of Packer and the `ssh` command
itself.

But skip SSH agent connections if the SSH_AUTH_SOCK env var doesn't exist,
whcih means there's no agent to connect to.
2015-06-19 17:14:43 -05:00
Sander van Harmelen 41748003c0 Updated the PR according to the review comments
* We now return an error when you set the script_path to
C:\Windows\Temp explaining this is currently not supported
* The fix in PR #1588 is converted to the updated setup in this PR
including the unit tests

Last thing to do is add a few tests for the WinRM communicator…
2015-05-01 18:52:01 +02:00
Sander van Harmelen 4a29c714e5 Adding support for WinRM 2015-05-01 18:48:54 +02:00
Sander van Harmelen c9e9e374bb Adding some abstractions for the communicators
This is needed as preperation for adding WinRM support. There is still
one error in the tests which needs another look, but other than that it
seems like were now ready to start working on the WinRM part…
2015-05-01 18:48:54 +02:00