Open lassizci opened 3 years ago
Files identified in the description:
lib/ansible/parsing/vault
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
While this is somewhat simple to fix in theory, it will be a little complicated to fix in practice.
The offending line is:
However, this could cause existing vault password files to fail to open existing vaults, if the user is relying on this behavior.
So while we should remove that .strip()
, need to later attempt to decrypt the vault, but the password file has leading or trailing spaces we will need to strip and try again if initial decryption failed.
Summary
Ansible vault seems to strip whitespace from passwords, so
foo
is the same asfoo
. I don't think this is quite dangerous thing to do for security.Noticed this as I'm generating ansible-vaults from python code, such as:
which are then consumed using standard
ansible-vault
cli.vault_key
is generated from random bytes, which might result in whitespace characters too. While I do realize the python api isn't supported, I think it's a bit nasty thing to do still, as even I usedansible-vault
to generate the vaults, it would actually be encrypted with different secret I thought it would be.Issue Type
Bug Report
Component Name
ansible-vault
Ansible Version
Configuration
OS / Environment
any
Steps to Reproduce
Expected Results
Should not be possible to decrypt the vault with password that's not the same that was used to encrypt it.
Actual Results
Vault decrypts with both files