search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.66k stars 9.55k forks source link

private key decode failure spilling key content into logs #18927

Open madsonic opened 6 years ago

madsonic commented 6 years ago

Terraform Version

Terraform v0.11.8
+ provider.google v1.17.1

Terraform Configuration Files

# standard google compute engine setup
...

provisioner "file" {
    source      = "/path/to/local/file"
    destination = "/path/to/remote/"

    connection {
        type = "ssh"
        user = "ubuntu"
        private_key = "${file("~/.ssh/my-ssh-key")}" # password protected key
    }
}

Debug Output

* google_compute_instance.provisioner: Failed to parse key file  
"-----BEGIN OPENSSH PRIVATE KEY-----
xxxxxxxx
-----END OPENSSH PRIVATE KEY-----\n": ssh: cannot decode encrypted private keys

Expected Behavior

Should have failed without printing the contents of the private key file.

  1. Stdout might be pipe to a logging system viewable by users other than SSH key owner
  2. Spilling the content of the key file is not necessary for debugging purposes. printing the file name is sufficient

Actual Behavior

The private key file content was printed to stdout

Steps to Reproduce

  1. terraform init
  2. terraform apply -auto-approve
KamilLelonek commented 5 years ago

Same here.

larsxschneider commented 5 years ago

I agree that it is a problem to print the content of a private key 👍 . On top of that, I wonder why decoding the key fails in the first place? I can't figure out why Terraform doesn't like my key 😢

Do you have a clue?

MajoDurco commented 5 years ago

Does your key have a passphrase set? If so try it without.

liuyangc3 commented 5 years ago

Get the same error with DigitalOcean provider, and key passphrase is set too.