user: do not pass ssh_key_passphrase on cmdline

CVE-2018-16837 Co-authored-by: Toshio Kuratomi <a.badger@gmail.com>
2026-05-08 06:12:51 +00:00 · 2018-10-22 17:42:59 +02:00
parent 9180d2c7f2
commit a0aa53d1a1
3 changed files with 83 additions and 5 deletions
--- a/test/integration/targets/user/tasks/main.yml
+++ b/test/integration/targets/user/tasks/main.yml
@@ -493,3 +493,32 @@
          - result.bakup
          - shadow_backups.files | map(attribute='path') | list | length > 0
  when: ansible_os_family == 'Solaris'
+
+
+# Test creating ssh key with passphrase
+- name: Remove ansibulluser
+  user:
+    name: ansibulluser
+    state: absent
+
+- name: Create user with ssh key
+  user:
+    name: ansibulluser
+    state: present
+    generate_ssh_key: yes
+    ssh_key_file: "{{ output_dir }}/test_id_rsa"
+    ssh_key_passphrase: secret_passphrase
+
+- name: Unlock ssh key
+  command: "ssh-keygen -y -f {{ output_dir }}/test_id_rsa -P secret_passphrase"
+  register: result
+
+- name: Check that ssh key was unlocked successfully
+  assert:
+    that:
+      - result.rc == 0
+
+- name: Clean ssh key
+  file:
+    path: "{{ output_dir }}/test_id_rsa"
+    state: absent