search

ansible / ansible

Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.
https://www.ansible.com/
GNU General Public License v3.0
61.87k stars 23.77k forks source link

ansible-vault strips passwords #73875

Open lassizci opened 3 years ago

lassizci commented 3 years ago

Summary

Ansible vault seems to strip whitespace from passwords, so foo is the same as foo. I don't think this is quite dangerous thing to do for security.

Noticed this as I'm generating ansible-vaults from python code, such as:

from ansible.parsing.vault import VaultLib, VaultSecret

def generate_ansible_vault(vault_key: bytes, content: dict) -> bytes:
    vault_secret = VaultSecret(vault_key)
    vault = VaultLib()
    content_json = json.dumps(content)
    return vault.encrypt(content_json, vault_secret)

which are then consumed using standard ansible-vault cli. vault_key is generated from random bytes, which might result in whitespace characters too. While I do realize the python api isn't supported, I think it's a bit nasty thing to do still, as even I used ansible-vault to generate the vaults, it would actually be encrypted with different secret I thought it would be.

Issue Type

Bug Report

Component Name

ansible-vault

Ansible Version

2.9.9

Configuration

$ ansible-config dump --only-changed
(no changes)

OS / Environment

any

Steps to Reproduce

echo "    foo    " > vault-secret
ansible-vault create --vault-password-file ./vault-secret ./vault

echo "foo" > vault-secret2
ansible-vault view --vault-password-file ./vault-secret2 ./vault

Expected Results

Should not be possible to decrypt the vault with password that's not the same that was used to encrypt it.

Actual Results

Vault decrypts with both files

ansibot commented 3 years ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

sivel commented 3 years ago

While this is somewhat simple to fix in theory, it will be a little complicated to fix in practice.

The offending line is:

https://github.com/ansible/ansible/blob/bcefb6b5f1e5b502e4368f74637d18036f0a2477/lib/ansible/parsing/vault/__init__.py#L427

However, this could cause existing vault password files to fail to open existing vaults, if the user is relying on this behavior.

So while we should remove that .strip(), need to later attempt to decrypt the vault, but the password file has leading or trailing spaces we will need to strip and try again if initial decryption failed.