Implement use_agent option to get signing key from ssh-agent. (#117)

2026-05-06 05:12:54 +00:00 · 2020-10-19 12:07:36 -04:00
parent a6490fa60e
commit b32adcce78
7 changed files with 192 additions and 0 deletions
--- a/plugins/module_utils/crypto/openssh.py
+++ b/plugins/module_utils/crypto/openssh.py
@@ -0,0 +1,36 @@
+# -*- coding: utf-8 -*-
+#
+# (c) 2020, Doug Stanley <doug+ansible@technologixllc.com>
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
+
+import re
+
+
+def parse_openssh_version(version_string):
+    """Parse the version output of ssh -V and return version numbers that can be compared"""
+
+    parsed_result = re.match(
+        r"^.*openssh_(?P<version>[0-9.]+)(p?[0-9]+)[^0-9]*.*$", version_string.lower()
+    )
+    if parsed_result is not None:
+        version = parsed_result.group("version").strip()
+    else:
+        version = None
+
+    return version
--- a/plugins/modules/openssh_cert.py
+++ b/plugins/modules/openssh_cert.py
@@ -53,6 +53,12 @@ options:
            - If this is set, I(signing_key) needs to point to a file containing the public key of the CA.
        type: str
        version_added: 1.1.0
+    use_agent:
+        description:
+            - Should the ssh-keygen use a CA key residing in a ssh-agent.
+        type: bool
+        default: false
+        version_added: 1.3.0
    public_key:
        description:
            - The path to the public key that will be signed with the signing key in order to generate the certificate.
@@ -216,12 +222,14 @@ import tempfile

 from datetime import datetime
 from datetime import MINYEAR, MAXYEAR
+from distutils.version import LooseVersion
 from shutil import copy2, rmtree

 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils._text import to_native

 from ansible_collections.community.crypto.plugins.module_utils.crypto.support import convert_relative_to_datetime
+from ansible_collections.community.crypto.plugins.module_utils.crypto.openssh import parse_openssh_version


 class CertificateError(Exception):
@@ -235,6 +243,7 @@ class Certificate(object):
        self.force = module.params['force']
        self.type = module.params['type']
        self.signing_key = module.params['signing_key']
+        self.use_agent = module.params['use_agent']
        self.pkcs11_provider = module.params['pkcs11_provider']
        self.public_key = module.params['public_key']
        self.path = module.params['path']
@@ -273,6 +282,9 @@ class Certificate(object):
            if self.pkcs11_provider:
                args.extend(['-D', self.pkcs11_provider])

+            if self.use_agent:
+                args.extend(['-U'])
+
            validity = ""

            if not (self.valid_from == "always" and self.valid_to == "forever"):
@@ -547,6 +559,7 @@ def main():
            force=dict(type='bool', default=False),
            type=dict(type='str', choices=['host', 'user']),
            signing_key=dict(type='path'),
+            use_agent=dict(type='bool', default=False),
            pkcs11_provider=dict(type='str'),
            public_key=dict(type='path'),
            path=dict(type='path', required=True),
@@ -563,6 +576,21 @@ def main():
        required_if=[('state', 'present', ['type', 'signing_key', 'public_key', 'valid_from', 'valid_to'])],
    )

+    if module.params['use_agent']:
+        ssh = module.get_bin_path('ssh', True)
+        proc = module.run_command([ssh, '-Vq'])
+        ssh_version_string = proc[2].strip()
+        ssh_version = parse_openssh_version(ssh_version_string)
+        if ssh_version is None:
+            module.fail_json(msg="Failed to parse ssh version")
+        elif LooseVersion(ssh_version) < LooseVersion("7.6"):
+            module.fail_json(
+                msg=(
+                    "Signing with CA key in ssh agent requires ssh 7.6 or newer."
+                    " Your version is: %s"
+                ) % ssh_version_string
+            )
+
    def isBaseDir(path):
        base_dir = os.path.dirname(path) or '.'
        if not os.path.isdir(base_dir):