Skip to content

communicator: don't set bastion cert if key is set#174

Merged
nywilken merged 1 commit intomainfrom
fix_bastion_cert_assignment
Apr 27, 2023
Merged

communicator: don't set bastion cert if key is set#174
nywilken merged 1 commit intomainfrom
fix_bastion_cert_assignment

Conversation

@lbajolet-hashicorp
Copy link
Copy Markdown
Contributor

@lbajolet-hashicorp lbajolet-hashicorp commented Apr 19, 2023

When attempting to set the bastion key/certificate for authenticating with the bastion, we generally fallback to the ones defined by the SSH configuration.

However, if the bastion SSH key is set, and not the certificate, but the SSH connection's are, since the conditions are separate, we end-up in a situation where the bastion's SSH key uses the one from the config, and the certificate fall backs to the one from the SSH connection.

This in turn fails, as the certificate's public key matches the private key from the SSH connection, and not the bastion's.

To avoid a situation like this, we only fallback to the SSH connection's certificate if the bastion's SSH key isn't set.

Closes #173

@lbajolet-hashicorp lbajolet-hashicorp requested a review from a team as a code owner April 19, 2023 21:44
@lbajolet-hashicorp
Copy link
Copy Markdown
Contributor Author

lbajolet-hashicorp commented Apr 19, 2023
edited
Loading

NOTE: I'm still working on tests right now, so this may not be ready to be merged immediately, but this can be reviewed in the meantime

Tests are done, this PR can be reviewed.

@lbajolet-hashicorp lbajolet-hashicorp force-pushed the fix_bastion_cert_assignment branch from 3681f1e to e2d8faf Compare April 20, 2023 15:32
nywilken
nywilken reviewed Apr 27, 2023
View reviewed changes
@lbajolet-hashicorp
communicator: don't set bastion cert if key is set
abd0c21 
When attempting to set the bastion key/certificate for authenticating
with the bastion, we generally fallback to the ones defined by the SSH
configuration.

However, if the bastion SSH key is set, and not the certificate, but the
SSH connection's are, since the conditions are separate, we end-up in a
situation where the bastion's SSH key uses the one from the config, and
the certificate fall backs to the one from the SSH connection.

This in turn fails, as the certificate's public key matches the private
key from the SSH connection, and not the bastion's.

To avoid a situation like this, we only fallback to the SSH connection's
certificate if the bastion's SSH key isn't set.
@lbajolet-hashicorp lbajolet-hashicorp force-pushed the fix_bastion_cert_assignment branch from e2d8faf to abd0c21 Compare April 27, 2023 20:59
nywilken
nywilken approved these changes Apr 27, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@nywilken nywilken left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@nywilken nywilken merged commit a27f60a into main Apr 27, 2023
@nywilken nywilken deleted the fix_bastion_cert_assignment branch April 27, 2023 23:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nywilken nywilken nywilken approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ssh_certificate_file is wrongly used for ssh bastion

2 participants

@lbajolet-hashicorp @nywilken