openssh_* modules: check return code on ssh(-keygen) invocations; fail if comment cannot be updated (#646)

* Check return code on ssh(-keygen) invocations. * openssh_cert: only check for errors if certificate should be present and module is not in check mode. * Handle rc check for _get_private_key(). * Add changelog fragment. * Only pass -o for comment updating when necessary. * Now fails if comment cannot be updated. This was silently ignored in the past. * Avoid failing operation.
2026-03-26 21:33:25 +00:00 · 2023-08-12 17:14:00 +02:00
parent 62c842548d
commit addbd067c8
6 changed files with 57 additions and 28 deletions
--- a/tests/integration/targets/openssh_keypair/tests/options.yml
+++ b/tests/integration/targets/openssh_keypair/tests/options.yml
@@ -100,8 +100,10 @@
    comment: "test_modified@comment"
    backend: "{{ backend }}"
  register: modified_comment_output
+  ignore_errors: true

 - name: "({{ backend }}) Assert comment preserved public key - comment"
+  when: modified_comment_output is succeeded
  assert:
    that:
      - comment_output.public_key == modified_comment_output.public_key
@@ -111,9 +113,17 @@
  assert:
    that:
      - modified_comment_output.comment == 'test_modified@comment'
+      - modified_comment_output is succeeded
  # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
  when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))

+- name: "({{ backend }}) Assert comment not changed - comment"
+  assert:
+    that:
+      - modified_comment_output is failed
+  # Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
+  when: backend == 'opensshbin' and openssh_version is version('7.2', '<')
+
 - name: "({{ backend }}) Remove key - comment"
  openssh_keypair:
    path: "{{ remote_tmp_dir }}/comment"
--- a/tests/integration/targets/openssh_keypair/tests/regenerate.yml
+++ b/tests/integration/targets/openssh_keypair/tests/regenerate.yml
@@ -329,22 +329,25 @@
    that:
      - result is changed

- name: "({{ backend }}) Regenerate - adjust comment"
-  openssh_keypair:
-    path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
-    type: dsa
-    size: 1024
-    comment: test comment
-    regenerate: '{{ item }}'
-    backend: "{{ backend }}"
-  loop: "{{ regenerate_values }}"
-  register: result
- assert:
-    that:
-      - result is changed
-      # for all values but 'always', the key should not be regenerated.
-      # verify this by comparing fingerprints:
-      - result.results[0].fingerprint == result.results[1].fingerprint
-      - result.results[0].fingerprint == result.results[2].fingerprint
-      - result.results[0].fingerprint == result.results[3].fingerprint
-      - result.results[0].fingerprint != result.results[4].fingerprint
+# Support for updating comments for key types other than rsa1 was added in OpenSSH 7.2
+- when: not (backend == 'opensshbin' and openssh_version is version('7.2', '<'))
+  block:
+  - name: "({{ backend }}) Regenerate - adjust comment"
+    openssh_keypair:
+      path: '{{ remote_tmp_dir }}/regenerate-a-{{ item }}'
+      type: dsa
+      size: 1024
+      comment: test comment
+      regenerate: '{{ item }}'
+      backend: "{{ backend }}"
+    loop: "{{ regenerate_values }}"
+    register: result
+  - assert:
+      that:
+        - result is changed
+        # for all values but 'always', the key should not be regenerated.
+        # verify this by comparing fingerprints:
+        - result.results[0].fingerprint == result.results[1].fingerprint
+        - result.results[0].fingerprint == result.results[2].fingerprint
+        - result.results[0].fingerprint == result.results[3].fingerprint
+        - result.results[0].fingerprint != result.results[4].fingerprint