If key type is defined as :auto, detect best key type to use. If no
acceptable key type is detected as supported by the server, raise an
error. If unable to determine supported key types from the server,
fallback to original behavior of rsa type key.
If key type is defined as custom value, use that type if the server
supports it, or if the supported types cannot be read. Otherwise, raise
an error informing the user that the key type is not supported.
Check the key types supported by the server. If the data is not
available, default to the previous behavior which is using the rsa key
type.
Update insecure key check to match against any key files located within
the keys directory. For now, this effectively allows matching either rsa
or ed25519 insecure private keys.
The keyboard-interactive authentication method was added due to a
mis-reading of a reported issue where the box was not properly
configured for Vagrant. This removes the keyboard-interactive
authentication method which resolves a password prompting issue caused
by its addition.
When connecting over ssh using net-ssh use the non_interactive
argument must be set when authenticating with a password.
Add the keyboard-interactive default auth method
ref: 8a176a6ea0/lib/net/ssh/config.rb (L52)
This commit changes the SSH communicator to raise an error if Vagrant
doesn't receive an exit status from an SSH command, for example if the
command is terminated by the OOM-killer.
Retains the original default value of 15 seconds for SSH connect
timeout. Allows users to modify this timeout via SSH communicator
option. Enforces integer values for timeout and validates custom
values are greater than 0.
This patches the connection instances generated for the winssh
communicator so when a command is executed it is always run
with powershell. This prevents inconsistencies with argument
handling based on what the default shell is set to on the remote
side.
Since powershell is the default, environment variable template
only needs to be set for powershell style. If the shell setting
is updated to `cmd`, the command will be properly prefixed.
Default shell has been updated to powershell, to prevent extraneous
wrapping where it's not required. The `#ready?` check has also been
updated to use a constant value, which is overridden within winssh
as a blank command is invalid.
Windows commands that run over SSH are wrapped in a script that writes a
special marker to the two output streams (stdout and stderr). This
allows Vagrant to consume the output streams.
Unfortunately, this leads to a sort of chicken-and-egg problem where no
commands can be run before a wrapper script exists. For example, you
can't make a destination directory to upload the wrapper script without
first creating a wrapper script to make the directory. :)
This commit changes the behavior of the WinSSH communicator to assume
that the destination directory already exists for provisioning scripts.
It also moves the default `upload_path` from the shell provisioner
config so we can have OS-specific defaults.
Finally, it introduces a Windows-specific #upload method which will
properly use a Windows path separator on a non-Windows host.
This update was prompted by updates in openssh to the scp behavior
making source directory paths suffixed with `.` no longer valid
resulting in errors on upload. The upload implementation within
the ssh communicator has been updated to retain the existing
behavior.
Included in this update is modifications to the winrm communicator
so the upload functionality matches that of the ssh communicator
respecting the trailing `.` behavior on source paths. With the
communicators updated to properly handle the paths, the file
provisioner was also updated to simply apply previously defined
path update rules only.
Fixes#10675
Also noticed whilst testing that if the `ProxyCommand` uses `%r`, then
it fails with `unable to find remote user`, so added support for
`config.ssh.remote_user` aswell
If the type of error changes on retry the messages will effectively
spam the user display with alternating messages. Log each message
sent and only re-display each message once within 10 seconds.
This updates the permissions on the automatically generated private
key file to only be readable by the user. Includes support for file
permission modification on Windows platform.
As of `net-ssh` version 4.2.0, the key :paranoid has been deprecated in
favor of using :verify_host_key. This commit updates Vagrants ssh config
to use the new key, and deprecates the use of :paranoid.
Prior to this commit, the ssh communicator would use the default cipher
list in Net::SSH to negociate which ciphers it should use between hosts.
Due to a bug in Net::SSH and the position of the `none` cipher in its
default cipher list, if a host supported the none cipher, but also
only supported other ciphers that came after none in the default list,
it would accept none and attempt to use that cipher instead of the other
supported ciphers. This commit fixes that behavior by copying the
default cipher list from Net::SSH and placing none last in the list so
that other ciphers can be used in the negotiation before attempting to
use the unsecure none cipher.
In some cases the SSH connection may be aborted while waiting
for setup. This includes aborted connections in the list of
applicable exceptions to retry on while waiting for the connection
to become available.
Fixes#8520
Prevent sending empty data strings to defined blocks handling
stderr and stdout output. These can occur when the garbage
marker is identified and collected data pruned, but no remaining
data is left to send.
Fixes#8259
This adds two new SSH configuration options:
- `keys_only`
- `paranoid`
These values were previously hard-coded, but can now be user-specified.
Fixes GH-4275
This changes the ssh ready? method to treat ENETUNREACH the same way as
EHOSTUNREACH errors.
When attempting to SSH into a box, it tries up to 5 times to connect to
the box, ignoring various errors. Later it will catch and gracefully
handle most of those errors so that callers don't have to know the
details.
However, the Errno::ENETUNREACH error is not caught, which means that
callers that expect a clean boolean return from ready? don't get that,
and instead get an exception they probably aren't expecting.
