openssh_* modules: check return code on ssh(-keygen) invocations; fail if comment cannot be updated (#646)

* Check return code on ssh(-keygen) invocations. * openssh_cert: only check for errors if certificate should be present and module is not in check mode. * Handle rc check for _get_private_key(). * Add changelog fragment. * Only pass -o for comment updating when necessary. * Now fails if comment cannot be updated. This was silently ignored in the past. * Avoid failing operation.
2026-05-06 13:22:58 +00:00 · 2023-08-12 17:14:00 +02:00
parent 62c842548d
commit addbd067c8
6 changed files with 57 additions and 28 deletions
--- a/plugins/module_utils/openssh/backends/keypair_backend.py
+++ b/plugins/module_utils/openssh/backends/keypair_backend.py
@@ -323,23 +323,27 @@ class KeypairBackendOpensshBin(KeypairBackend):
        self.ssh_keygen = KeygenCommand(self.module)

    def _generate_keypair(self, private_key_path):
-        self.ssh_keygen.generate_keypair(private_key_path, self.size, self.type, self.comment)
+        self.ssh_keygen.generate_keypair(private_key_path, self.size, self.type, self.comment, check_rc=True)

    def _get_private_key(self):
-        private_key_content = self.ssh_keygen.get_private_key(self.private_key_path)[1]
+        rc, private_key_content, err = self.ssh_keygen.get_private_key(self.private_key_path, check_rc=False)
+        if rc != 0:
+            raise ValueError(err)
        return PrivateKey.from_string(private_key_content)

    def _get_public_key(self):
-        public_key_content = self.ssh_keygen.get_matching_public_key(self.private_key_path)[1]
+        public_key_content = self.ssh_keygen.get_matching_public_key(self.private_key_path, check_rc=True)[1]
        return PublicKey.from_string(public_key_content)

    def _private_key_readable(self):
-        rc, stdout, stderr = self.ssh_keygen.get_matching_public_key(self.private_key_path)
+        rc, stdout, stderr = self.ssh_keygen.get_matching_public_key(self.private_key_path, check_rc=False)
        return not (rc == 255 or any_in(stderr, 'is not a public key file', 'incorrect passphrase', 'load failed'))

    def _update_comment(self):
        try:
-            self.ssh_keygen.update_comment(self.private_key_path, self.comment)
+            ssh_version = self._get_ssh_version() or "7.8"
+            force_new_format = LooseVersion('6.5') <= LooseVersion(ssh_version) < LooseVersion('7.8')
+            self.ssh_keygen.update_comment(self.private_key_path, self.comment, force_new_format=force_new_format, check_rc=True)
        except (IOError, OSError) as e:
            self.module.fail_json(msg=to_native(e))