haskal
/
vagrant
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #9341 from briancain/9062/master/deprecate-paranoid-ssh-setting 

Deprecate :paranoid in favor of :verify_host_key
This commit is contained in:
Brian Cain 2018-01-05 13:33:40 -08:00 committed by GitHub
parent eef787f790 2fb12a15e5
commit 24903c27b3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 65 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/vagrant/machine.rb
View File

@ -438,7 +438,7 @@ module Vagrant
info[:port] ||= @config.ssh.default.port info[:port] ||= @config.ssh.default.port
info[:private_key_path] ||= @config.ssh.default.private_key_path info[:private_key_path] ||= @config.ssh.default.private_key_path
info[:keys_only] ||= @config.ssh.default.keys_only info[:keys_only] ||= @config.ssh.default.keys_only
info[:paranoid] ||= @config.ssh.default.paranoid info[:verify_host_key] ||= @config.ssh.default.verify_host_key
info[:username] ||= @config.ssh.default.username info[:username] ||= @config.ssh.default.username
info[:compression] ||= @config.ssh.default.compression info[:compression] ||= @config.ssh.default.compression
info[:dsa_authentication] ||= @config.ssh.default.dsa_authentication info[:dsa_authentication] ||= @config.ssh.default.dsa_authentication
@ -449,7 +449,7 @@ module Vagrant
info[:host] = @config.ssh.host if @config.ssh.host info[:host] = @config.ssh.host if @config.ssh.host
info[:port] = @config.ssh.port if @config.ssh.port info[:port] = @config.ssh.port if @config.ssh.port
info[:keys_only] = @config.ssh.keys_only info[:keys_only] = @config.ssh.keys_only
info[:paranoid] = @config.ssh.paranoid info[:verify_host_key] = @config.ssh.verify_host_key
info[:compression] = @config.ssh.compression info[:compression] = @config.ssh.compression
info[:dsa_authentication] = @config.ssh.dsa_authentication info[:dsa_authentication] = @config.ssh.dsa_authentication
info[:username] = @config.ssh.username if @config.ssh.username info[:username] = @config.ssh.username if @config.ssh.username

2
lib/vagrant/util/ssh.rb
View File

@ -126,7 +126,7 @@ module Vagrant
end end
# no strict hostkey checking unless paranoid # no strict hostkey checking unless paranoid
if ! ssh_info[:paranoid] if ! ssh_info[:verify_host_key]
command_options += [ command_options += [
"-o", "StrictHostKeyChecking=no", "-o", "StrictHostKeyChecking=no",
"-o", "UserKnownHostsFile=/dev/null"] "-o", "UserKnownHostsFile=/dev/null"]

2
plugins/commands/ssh_config/command.rb
View File

@ -47,7 +47,7 @@ module VagrantPlugins
ssh_port: ssh_info[:port], ssh_port: ssh_info[:port],
ssh_user: ssh_info[:username], ssh_user: ssh_info[:username],
keys_only: ssh_info[:keys_only], keys_only: ssh_info[:keys_only],
paranoid: ssh_info[:paranoid], verify_host_key: ssh_info[:verify_host_key],
private_key_path: ssh_info[:private_key_path], private_key_path: ssh_info[:private_key_path],
log_level: ssh_info[:log_level], log_level: ssh_info[:log_level],
forward_agent: ssh_info[:forward_agent], forward_agent: ssh_info[:forward_agent],

2
plugins/communicators/ssh/communicator.rb
View File

@ -364,7 +364,7 @@ module VagrantPlugins
forward_agent: ssh_info[:forward_agent], forward_agent: ssh_info[:forward_agent],
send_env: ssh_info[:forward_env], send_env: ssh_info[:forward_env],
keys_only: ssh_info[:keys_only], keys_only: ssh_info[:keys_only],
paranoid: ssh_info[:paranoid], verify_host_key: ssh_info[:verify_host_key],
password: ssh_info[:password], password: ssh_info[:password],
port: ssh_info[:port], port: ssh_info[:port],
timeout: 15, timeout: 15,

12
plugins/kernel_v2/config/ssh_connect.rb
View File

@ -9,6 +9,7 @@ module VagrantPlugins
attr_accessor :insert_key attr_accessor :insert_key
attr_accessor :keys_only attr_accessor :keys_only
attr_accessor :paranoid attr_accessor :paranoid
attr_accessor :verify_host_key
attr_accessor :compression attr_accessor :compression
attr_accessor :dsa_authentication attr_accessor :dsa_authentication
attr_accessor :extra_args attr_accessor :extra_args
@ -22,6 +23,7 @@ module VagrantPlugins
@insert_key = UNSET_VALUE @insert_key = UNSET_VALUE
@keys_only = UNSET_VALUE @keys_only = UNSET_VALUE
@paranoid = UNSET_VALUE @paranoid = UNSET_VALUE
@verify_host_key = UNSET_VALUE
@compression = UNSET_VALUE @compression = UNSET_VALUE
@dsa_authentication = UNSET_VALUE @dsa_authentication = UNSET_VALUE
@extra_args = UNSET_VALUE @extra_args = UNSET_VALUE
@ -36,6 +38,7 @@ module VagrantPlugins
@insert_key = true if @insert_key == UNSET_VALUE @insert_key = true if @insert_key == UNSET_VALUE
@keys_only = true if @keys_only == UNSET_VALUE @keys_only = true if @keys_only == UNSET_VALUE
@paranoid = false if @paranoid == UNSET_VALUE @paranoid = false if @paranoid == UNSET_VALUE
@verify_host_key = false if @verify_host_key == UNSET_VALUE
@compression = true if @compression == UNSET_VALUE @compression = true if @compression == UNSET_VALUE
@dsa_authentication = true if @dsa_authentication == UNSET_VALUE @dsa_authentication = true if @dsa_authentication == UNSET_VALUE
@extra_args = nil if @extra_args == UNSET_VALUE @extra_args = nil if @extra_args == UNSET_VALUE
@ -43,6 +46,11 @@ module VagrantPlugins
if @private_key_path && !@private_key_path.is_a?(Array) if @private_key_path && !@private_key_path.is_a?(Array)
@private_key_path = [@private_key_path] @private_key_path = [@private_key_path]
end end
if @paranoid
@verify_host_key = @paranoid
end
end end
# NOTE: This is _not_ a valid config validation method, since it # NOTE: This is _not_ a valid config validation method, since it
@ -64,6 +72,10 @@ module VagrantPlugins
end end
end end
if @paranoid
machine.env.ui.warn(I18n.t("vagrant.config.ssh.paranoid_deprecated"))
end
errors errors
end end
end end

2
plugins/synced_folders/rsync/helper.rb
View File

@ -101,7 +101,7 @@ module VagrantPlugins
end end
# no strict hostkey checking unless paranoid # no strict hostkey checking unless paranoid
if ! ssh_info[:paranoid] if ! ssh_info[:verify_host_key]
rsh += [ rsh += [
"-o", "StrictHostKeyChecking=no", "-o", "StrictHostKeyChecking=no",
"-o", "UserKnownHostsFile=/dev/null"] "-o", "UserKnownHostsFile=/dev/null"]

2
templates/commands/ssh_config/config.erb
View File

@ -2,7 +2,7 @@ Host <%= host_key %>
HostName <%= ssh_host %> HostName <%= ssh_host %>
User <%= ssh_user %> User <%= ssh_user %>
Port <%= ssh_port %> Port <%= ssh_port %>
<% if ! paranoid -%> <% if ! verify_host_key -%>
UserKnownHostsFile /dev/null UserKnownHostsFile /dev/null
StrictHostKeyChecking no StrictHostKeyChecking no
<% end -%> <% end -%>

3
templates/locales/en.yml
View File

@ -1633,6 +1633,9 @@ en:
Unknown configuration section '%{key}'. Unknown configuration section '%{key}'.
ssh: ssh:
private_key_missing: "`private_key_path` file must exist: %{path}" private_key_missing: "`private_key_path` file must exist: %{path}"
paranoid_deprecated: |-
The key `paranoid` is deprecated. Please use `verify_host_key`. Supported
values are exactly the same, only the name of the option has changed.
vm: vm:
bad_version: |- bad_version: |-
Invalid box version constraints: %{version} Invalid box version constraints: %{version}

6
test/unit/plugins/commands/ssh_config/command_test.rb
View File

@ -23,7 +23,7 @@ describe VagrantPlugins::CommandSSHConfig::Command do
port: 1234, port: 1234,
username: "testuser", username: "testuser",
keys_only: true, keys_only: true,
paranoid: false, verify_host_key: false,
private_key_path: ["/home/vagrant/.private/keys.key"], private_key_path: ["/home/vagrant/.private/keys.key"],
forward_agent: false, forward_agent: false,
forward_x11: false forward_x11: false
@ -124,8 +124,8 @@ Host #{machine.name}
expect(output).not_to include('IdentitiesOnly') expect(output).not_to include('IdentitiesOnly')
end end
it "omits StrictHostKeyChecking and UserKnownHostsFile when paranoid is true" do it "omits StrictHostKeyChecking and UserKnownHostsFile when verify_host_key is true" do
allow(machine).to receive(:ssh_info) { ssh_info.merge(paranoid: true) } allow(machine).to receive(:ssh_info) { ssh_info.merge(verify_host_key: true) }
output = "" output = ""
allow(subject).to receive(:safe_puts) do |data| allow(subject).to receive(:safe_puts) do |data|

22
test/unit/plugins/communicators/ssh/communicator_test.rb
View File

@ -357,7 +357,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -370,10 +370,10 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
communicator.send(:connect) communicator.send(:connect)
end end
it "has paranoid disabled" do it "has verify_host_key disabled" do
expect(Net::SSH).to receive(:start).with( expect(Net::SSH).to receive(:start).with(
nil, nil, hash_including( nil, nil, hash_including(
paranoid: false verify_host_key: false
) )
).and_return(true) ).and_return(true)
communicator.send(:connect) communicator.send(:connect)
@ -412,7 +412,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
end end
end end
context "with keys_only disabled and paranoid enabled" do context "with keys_only disabled and verify_host_key enabled" do
before do before do
expect(machine).to receive(:ssh_info).and_return( expect(machine).to receive(:ssh_info).and_return(
@ -422,7 +422,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: false, keys_only: false,
paranoid: true verify_host_key: true
) )
end end
@ -435,10 +435,10 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
communicator.send(:connect) communicator.send(:connect)
end end
it "has paranoid disabled" do it "has verify_host_key disabled" do
expect(Net::SSH).to receive(:start).with( expect(Net::SSH).to receive(:start).with(
nil, nil, hash_including( nil, nil, hash_including(
paranoid: true verify_host_key: true
) )
).and_return(true) ).and_return(true)
communicator.send(:connect) communicator.send(:connect)
@ -455,7 +455,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -479,7 +479,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -512,7 +512,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
username: 'vagrant', username: 'vagrant',
password: 'vagrant', password: 'vagrant',
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -550,7 +550,7 @@ describe VagrantPlugins::CommunicatorSSH::Communicator do
username: 'vagrant', username: 'vagrant',
password: 'vagrant', password: 'vagrant',
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end

22
test/unit/plugins/communicators/winssh/communicator_test.rb
View File

@ -298,7 +298,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -311,10 +311,10 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
communicator.send(:connect) communicator.send(:connect)
end end
it "has paranoid disabled" do it "has verify_host_key disabled" do
expect(Net::SSH).to receive(:start).with( expect(Net::SSH).to receive(:start).with(
nil, nil, hash_including( nil, nil, hash_including(
paranoid: false verify_host_key: false
) )
).and_return(true) ).and_return(true)
communicator.send(:connect) communicator.send(:connect)
@ -339,7 +339,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
end end
end end
context "with keys_only disabled and paranoid enabled" do context "with keys_only disabled and verify_host_key enabled" do
before do before do
expect(machine).to receive(:ssh_info).and_return( expect(machine).to receive(:ssh_info).and_return(
@ -349,7 +349,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: false, keys_only: false,
paranoid: true verify_host_key: true
) )
end end
@ -362,10 +362,10 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
communicator.send(:connect) communicator.send(:connect)
end end
it "has paranoid disabled" do it "has verify_host_key disabled" do
expect(Net::SSH).to receive(:start).with( expect(Net::SSH).to receive(:start).with(
nil, nil, hash_including( nil, nil, hash_including(
paranoid: true verify_host_key: true
) )
).and_return(true) ).and_return(true)
communicator.send(:connect) communicator.send(:connect)
@ -382,7 +382,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -406,7 +406,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
username: nil, username: nil,
password: nil, password: nil,
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -439,7 +439,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
username: 'vagrant', username: 'vagrant',
password: 'vagrant', password: 'vagrant',
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end
@ -477,7 +477,7 @@ describe VagrantPlugins::CommunicatorWinSSH::Communicator do
username: 'vagrant', username: 'vagrant',
password: 'vagrant', password: 'vagrant',
keys_only: true, keys_only: true,
paranoid: false verify_host_key: false
) )
end end

2
test/unit/plugins/synced_folders/rsync/helper_test.rb
View File

@ -220,7 +220,7 @@ describe VagrantPlugins::SyncedFolderRSync::RsyncHelper do
let(:ssh_info) {{ let(:ssh_info) {{
:private_key_path => ['/path/to/key'], :private_key_path => ['/path/to/key'],
:keys_only => true, :keys_only => true,
:paranoid => false, :verify_host_key => false,
}} }}
let(:opts) {{ let(:opts) {{
hostpath: "/foo", hostpath: "/foo",

10
test/unit/vagrant/machine_test.rb
View File

@ -790,8 +790,8 @@ describe Vagrant::Machine do
it "keys_only should be default" do it "keys_only should be default" do
expect(instance.ssh_info[:keys_only]).to be(true) expect(instance.ssh_info[:keys_only]).to be(true)
end end
it "paranoid should be default" do it "verify_host_key should be default" do
expect(instance.ssh_info[:paranoid]).to be(false) expect(instance.ssh_info[:verify_host_key]).to be(false)
end end
it "extra_args should be nil" do it "extra_args should be nil" do
expect(instance.ssh_info[:extra_args]).to be(nil) expect(instance.ssh_info[:extra_args]).to be(nil)
@ -808,9 +808,9 @@ describe Vagrant::Machine do
instance.config.ssh.keys_only = false instance.config.ssh.keys_only = false
expect(instance.ssh_info[:keys_only]).to be(false) expect(instance.ssh_info[:keys_only]).to be(false)
end end
it "paranoid should be overridden" do it "verify_host_key should be overridden" do
instance.config.ssh.paranoid = true instance.config.ssh.verify_host_key = true
expect(instance.ssh_info[:paranoid]).to be(true) expect(instance.ssh_info[:verify_host_key]).to be(true)
end end
end end
end end

4
test/unit/vagrant/util/ssh_test.rb
View File

@ -89,13 +89,13 @@ describe Vagrant::Util::SSH do
end end
end end
context "when paranoid is true" do context "when verify_host_key is true" do
let(:ssh_info) {{ let(:ssh_info) {{
host: "localhost", host: "localhost",
port: 2222, port: 2222,
username: "vagrant", username: "vagrant",
private_key_path: [temporary_file], private_key_path: [temporary_file],
paranoid: true verify_host_key: true
}} }}
it "does not disable StrictHostKeyChecking or set UserKnownHostsFile" do it "does not disable StrictHostKeyChecking or set UserKnownHostsFile" do

2
vagrant.gemspec
View File

@ -22,7 +22,7 @@ Gem::Specification.new do |s|
s.add_dependency "listen", "~> 3.1.5" s.add_dependency "listen", "~> 3.1.5"
s.add_dependency "hashicorp-checkpoint", "~> 0.1.1" s.add_dependency "hashicorp-checkpoint", "~> 0.1.1"
s.add_dependency "log4r", "~> 1.1.9", "< 1.1.11" s.add_dependency "log4r", "~> 1.1.9", "< 1.1.11"
s.add_dependency "net-ssh", "~> 4.1.0" s.add_dependency "net-ssh", "~> 4.2.0"
s.add_dependency "net-sftp", "~> 2.1" s.add_dependency "net-sftp", "~> 2.1"
s.add_dependency "net-scp", "~> 1.2.0" s.add_dependency "net-scp", "~> 1.2.0"
s.add_dependency "rb-kqueue", "~> 0.2.0" s.add_dependency "rb-kqueue", "~> 0.2.0"

9
website/source/docs/vagrantfile/ssh_settings.html.md
View File

@ -67,9 +67,18 @@ any keys stored in ssh-agent). The default value is `true`.
<hr> <hr>
`config.ssh.verify_host_key` - Perform strict host-key verification. The default
value is `false`.
<hr>
`config.ssh.paranoid` - Perform strict host-key verification. The default value `config.ssh.paranoid` - Perform strict host-key verification. The default value
is `false`. is `false`.
__Deprecation:__
The `config.ssh.paranoid` option is deprecated and will be removed in a future release.
Please use the `config.ssh.verify_host_key` option instead.
<hr> <hr>
`config.ssh.forward_agent` - If `true`, agent forwarding over SSH `config.ssh.forward_agent` - If `true`, agent forwarding over SSH