Windows SSH key permissions workaround (#1584)

* Windows SSH key permissions workaround * Ensure Ansible is not being run in a world writable directory * linting
2025-06-05 22:54:01 +02:00 · 2019-11-01 09:57:20 +01:00 · 2019-11-01 09:57:20 +01:00 · dfd979eb68
commit dfd979eb68
parent 5737317dae
5 changed files with 36 additions and 14 deletions
--- a/config.cfg
+++ b/config.cfg
@ -132,6 +132,7 @@ congrats:
 SSH_keys:
  comment: algo@ssh
  private: configs/algo.pem
+  private_tmp: /tmp/algo-ssh.pem
  public: configs/algo.pem.pub

 cloud_providers:
--- a/main.yml
+++ b/main.yml
@ -2,6 +2,18 @@
 - hosts: localhost
  become: false
  tasks:
+    - name: Playbook dir stat
+      stat:
+        path: "{{ playbook_dir }}"
+      register: _playbook_dir
+
+    - name: Ensure Ansible is not being run in a world writable directory
+      assert:
+        that: _playbook_dir.stat.mode|int <= 0775
+        msg: >
+          Ansible is being run in a world writable directory ({{ playbook_dir }}), ignoring it as an ansible.cfg source.
+          For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
+
    - name: Ensure the requirements installed
      debug:
        msg: "{{ '' | ipaddr }}"
--- a/playbooks/cloud-post.yml
+++ b/playbooks/cloud-post.yml
@ -23,7 +23,7 @@
 - name: Additional variables for the server
  add_host:
    name: "{% if cloud_instance_ip == 'localhost' %}localhost{% else %}{{ cloud_instance_ip }}{% endif %}"
-    ansible_ssh_private_key_file: "{{ SSH_keys.private }}"
+    ansible_ssh_private_key_file: "{{ SSH_keys.private_tmp }}"
  when: algo_provider != 'local'

 - name: Wait until SSH becomes ready...
--- a/playbooks/cloud-pre.yml
+++ b/playbooks/cloud-pre.yml
@ -29,17 +29,26 @@
  delegate_to: localhost
  become: false

- name: Generate the SSH private key
-  openssl_privatekey:
-    path: "{{ SSH_keys.private }}"
-    size: 2048
-    mode: "0600"
-    type: RSA
-  when: algo_provider != "local"
+- block:
+  - name: Generate the SSH private key
+    openssl_privatekey:
+      path: "{{ SSH_keys.private }}"
+      size: 2048
+      mode: "0600"
+      type: RSA

- name: Generate the SSH public key
-  openssl_publickey:
-    path: "{{ SSH_keys.public }}"
-    privatekey_path: "{{ SSH_keys.private }}"
-    format: OpenSSH
+  - name: Generate the SSH public key
+    openssl_publickey:
+      path: "{{ SSH_keys.public }}"
+      privatekey_path: "{{ SSH_keys.private }}"
+      format: OpenSSH
+
+  - name: Copy the private SSH key to /tmp
+    copy:
+      src: "{{ SSH_keys.private }}"
+      dest: "{{ SSH_keys.private_tmp }}"
+      force: true
+      mode: '0600'
+    delegate_to: localhost
+    become: false
  when: algo_provider != "local"
--- a/server.yml
+++ b/server.yml
@ -41,7 +41,7 @@
              server: {{ 'localhost' if inventory_hostname == 'localhost' else inventory_hostname }}
              server_user: {{ ansible_ssh_user }}
              {% if algo_provider != "local" %}
-              ansible_ssh_private_key_file: {{ ansible_ssh_private_key_file|default(SSH_keys.private) }}
+              ansible_ssh_private_key_file: {{ SSH_keys.private }}
              {% endif %}
              algo_provider: {{ algo_provider }}
              algo_server_name: {{ algo_server_name }}