openssh_keypair: Adding passphrase parameter (#225)

* Integrating openssh module utils with openssh_keypair * Added explicit PEM formatting for OpenSSH < 7.8 * Adding changelog fragment * Adding OpenSSL/cryptography dependency for integration tests * Adding private_key_format option and removing forced cryptography update for CI * Fixed version check for bcrypt and key_format option name * Setting no_log=False for private_key_format * Docs correction and simplification of control flow for private_key_format
2026-05-08 14:22:56 +00:00 · 2021-05-10 08:47:01 -04:00
parent 37c1540ff4
commit 6100d9b4df
8 changed files with 395 additions and 69 deletions
--- a/tests/integration/targets/openssh_keypair/meta/main.yml
+++ b/tests/integration/targets/openssh_keypair/meta/main.yml
@@ -1,2 +1,3 @@
 dependencies:
  - setup_ssh_keygen
+  - setup_openssl
--- a/tests/integration/targets/openssh_keypair/tasks/main.yml
+++ b/tests/integration/targets/openssh_keypair/tasks/main.yml
@@ -4,6 +4,9 @@
 # and should not be used as examples of how to write Ansible roles #
 ####################################################################

+# Bumps up cryptography and bcrypt versions to be compatible with OpenSSH >= 7.8
+- import_tasks: ./setup_bcrypt.yml
+
 - name: Generate privatekey1 - standard (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/privatekey1'
@@ -124,7 +127,7 @@
  register: privatekey7_modified_result

 - name: Generate password protected key
-  command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N password'
+  command: 'ssh-keygen -f {{ output_dir }}/privatekey8 -N {{ passphrase }}'

 - name: Try to modify the password protected key - should fail
  openssh_keypair:
@@ -140,6 +143,58 @@
    size: 2048
  register: privatekey8_result_force

+- name: Generate another password protected key
+  command: 'ssh-keygen -f {{ output_dir }}/privatekey9 -N {{ passphrase }}'
+
+- name: Try to modify the password protected key with passphrase
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey9'
+    size: 1024
+    passphrase: "{{ passphrase }}"
+  register: privatekey9_modified_result
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+- name: Generate another unprotected key
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey10'
+    size: 2048
+
+- name: Try to Modify unprotected key with passphrase
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey10'
+    size: 2048
+    passphrase: "{{ passphrase }}"
+  ignore_errors: true
+  register: privatekey10_result
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+
+- name: Try to force modify the password protected key with force=true
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey10'
+    size: 2048
+    passphrase: "{{ passphrase }}"
+    force: true
+  register: privatekey10_result_force
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+- name: Ensure that ssh-keygen can read keys generated with passphrase
+  command: 'ssh-keygen -yf {{ output_dir }}/privatekey10 -P {{ passphrase }}'
+  register: privatekey10_result_sshkeygen
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+- name: Generate PEM encoded key with passphrase
+  command: 'ssh-keygen -f {{ output_dir }}/privatekey11 -N {{ passphrase }} -m PEM'
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+- name: Try to verify a PEM encoded key
+  openssh_keypair:
+    path: '{{ output_dir }}/privatekey11'
+    size: 2048
+    passphrase: "{{ passphrase }}"
+  register: privatekey11_result
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
 - import_tasks: ../tests/validate.yml


@@ -152,8 +207,9 @@
    size: 1024
  loop: "{{ regenerate_values }}"
 - name: Regenerate - setup password protected keys
-  command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N password'
+  command: 'ssh-keygen -f {{ output_dir }}/regenerate-b-{{ item }} -N {{ passphrase }}'
  loop: "{{ regenerate_values }}"
+
 - name: Regenerate - setup broken keys
  copy:
    dest: '{{ output_dir }}/regenerate-c-{{ item.0 }}{{ item.1 }}'
@@ -162,6 +218,10 @@
  with_nested:
    - "{{ regenerate_values }}"
    - [ '', '.pub' ]
+    -
+- name: Regenerate - setup password protected keys for passphrse test
+  command: 'ssh-keygen -f {{ output_dir }}/regenerate-d-{{ item }} -N {{ passphrase }}'
+  loop: "{{ regenerate_values }}"

 - name: Regenerate - modify broken keys (check mode)
  openssh_keypair:
@@ -225,6 +285,29 @@
      - result.results[3] is changed
      - result.results[4] is changed

+- name: Regenerate - modify password protected keys with passphrase (check mode)
+  openssh_keypair:
+    path: '{{ output_dir }}/regenerate-b-{{ item }}'
+    type: rsa
+    size: 1024
+    passphrase: "{{ passphrase }}"
+    regenerate: '{{ item }}'
+  check_mode: yes
+  loop: "{{ regenerate_values }}"
+  ignore_errors: yes
+  register: result
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+- assert:
+    that:
+      - result.results[0] is success
+      - result.results[1] is failed
+      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
+      - result.results[2] is changed
+      - result.results[3] is changed
+      - result.results[4] is changed
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
 - name: Regenerate - modify password protected keys
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-b-{{ item }}'
@@ -245,6 +328,28 @@
      - result.results[3] is changed
      - result.results[4] is changed

+- name: Regenerate - modify password protected keys with passphrase
+  openssh_keypair:
+    path: '{{ output_dir }}/regenerate-d-{{ item }}'
+    type: rsa
+    size: 1024
+    passphrase: "{{ passphrase }}"
+    regenerate: '{{ item }}'
+  loop: "{{ regenerate_values }}"
+  ignore_errors: yes
+  register: result
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
+- assert:
+    that:
+      - result.results[0] is success
+      - result.results[1] is failed
+      - "'Key has wrong type and/or size. Will not proceed.' in result.results[1].msg"
+      - result.results[2] is changed
+      - result.results[3] is changed
+      - result.results[4] is changed
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
+
 - name: Regenerate - not modify regular keys (check mode)
  openssh_keypair:
    path: '{{ output_dir }}/regenerate-a-{{ item }}'
--- a/tests/integration/targets/openssh_keypair/tasks/setup_bcrypt.yml
+++ b/tests/integration/targets/openssh_keypair/tasks/setup_bcrypt.yml
@@ -0,0 +1,24 @@
+---
+####################################################################
+# WARNING: These are designed specifically for Ansible tests       #
+# and should not be used as examples of how to write Ansible roles #
+####################################################################
+
+- name: Attempt to install dependencies for OpenSSH > 7.8
+  block:
+    - name: Ensure bcrypt 3.1.5 available
+      become: true
+      pip:
+        name: bcrypt==3.1.5
+        extra_args: "-c {{ remote_constraints }}"
+
+    - name: Register bcrypt version
+      command: "{{ ansible_python.executable }} -c 'import bcrypt; print(bcrypt.__version__)'"
+      register: bcrypt_version
+  ignore_errors: true
+
+- name: Ensure bcrypt_version is defined
+  set_fact:
+    bcrypt_version:
+      stdout: 0.0
+  when: bcrypt_version is not defined
--- a/tests/integration/targets/openssh_keypair/tests/validate.yml
+++ b/tests/integration/targets/openssh_keypair/tests/validate.yml
@@ -138,3 +138,31 @@
  assert:
    that:
      - privatekey8_result_force is changed
+
+- block:
+    - name: Check that password protected key with passphrase was regenerated
+      assert:
+        that:
+          - privatekey9_modified_result is changed
+
+    - name: Check that modifying unprotected key with passphrase fails
+      assert:
+        that:
+          - privatekey10_result is failed
+          - "'Unable to read the key. The key is protected with a passphrase or broken.' in privatekey8_result.msg"
+
+    - name: Check that unprotected key was regenerated with force=yes and passphrase supplied
+      assert:
+        that:
+          - privatekey10_result_force is changed
+
+    - name: Check that ssh-keygen output from passphrase protected key matches openssh_keypair
+      assert:
+        that:
+          - privatekey10_result_force.public_key == privatekey10_result_sshkeygen.stdout
+
+    - name: Check that PEM encoded private keys are loaded successfully
+      assert:
+        that:
+          - privatekey11_result is success
+  when: cryptography_version.stdout is version('3.0', '>=') and bcrypt_version.stdout is version('3.1.5', '>=')
--- a/tests/integration/targets/openssh_keypair/vars/main.yml
+++ b/tests/integration/targets/openssh_keypair/vars/main.yml
@@ -1,4 +1,5 @@
 ---
+passphrase: password
 regenerate_values:
  - never
  - fail