# Copyright (c) 2012, Michael DeHaan # Copyright 2015 Abhijit Menon-Sen # Copyright 2017 Toshio Kuratomi # Copyright (c) 2017 Ansible Project # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) from __future__ import (absolute_import, division, print_function) __metaclass__ = type DOCUMENTATION = ''' connection: ssh short_description: connect via ssh client binary description: - This connection plugin allows ansible to communicate to the target machines via normal ssh command line. - Ansible does not expose a channel to allow communication between the user and the ssh process to accept a password manually to decrypt an ssh key when using this connection plugin (which is the default). The use of ``ssh-agent`` is highly recommended. author: ansible (@core) version_added: historical options: host: description: Hostname/ip to connect to. default: inventory_hostname vars: - name: ansible_host - name: ansible_ssh_host host_key_checking: description: Determines if ssh should check host keys type: boolean ini: - section: defaults key: 'host_key_checking' - section: ssh_connection key: 'host_key_checking' version_added: '2.5' env: - name: ANSIBLE_HOST_KEY_CHECKING - name: ANSIBLE_SSH_HOST_KEY_CHECKING version_added: '2.5' vars: - name: ansible_host_key_checking version_added: '2.5' - name: ansible_ssh_host_key_checking version_added: '2.5' password: description: Authentication password for the C(remote_user). Can be supplied as CLI option. vars: - name: ansible_password - name: ansible_ssh_pass ssh_args: description: Arguments to pass to all ssh cli tools default: '-C -o ControlMaster=auto -o ControlPersist=60s' ini: - section: 'ssh_connection' key: 'ssh_args' env: - name: ANSIBLE_SSH_ARGS vars: - name: ansible_ssh_args version_added: '2.7' ssh_common_args: description: Common extra args for all ssh CLI tools ini: - section: 'ssh_connection' key: 'ssh_common_args' version_added: '2.7' env: - name: ANSIBLE_SSH_COMMON_ARGS version_added: '2.7' vars: - name: ansible_ssh_common_args ssh_executable: default: ssh description: - This defines the location of the ssh binary. It defaults to ``ssh`` which will use the first ssh binary available in $PATH. - This option is usually not required, it might be useful when access to system ssh is restricted, or when using ssh wrappers to connect to remote hosts. env: [{name: ANSIBLE_SSH_EXECUTABLE}] ini: - {key: ssh_executable, section: ssh_connection} #const: ANSIBLE_SSH_EXECUTABLE version_added: "2.2" vars: - name: ansible_ssh_executable version_added: '2.7' sftp_executable: default: sftp description: - This defines the location of the sftp binary. It defaults to ``sftp`` which will use the first binary available in $PATH. env: [{name: ANSIBLE_SFTP_EXECUTABLE}] ini: - {key: sftp_executable, section: ssh_connection} version_added: "2.6" vars: - name: ansible_sftp_executable version_added: '2.7' scp_executable: default: scp description: - This defines the location of the scp binary. It defaults to `scp` which will use the first binary available in $PATH. env: [{name: ANSIBLE_SCP_EXECUTABLE}] ini: - {key: scp_executable, section: ssh_connection} version_added: "2.6" vars: - name: ansible_scp_executable version_added: '2.7' scp_extra_args: description: Extra exclusive to the ``scp`` CLI vars: - name: ansible_scp_extra_args env: - name: ANSIBLE_SCP_EXTRA_ARGS version_added: '2.7' ini: - key: scp_extra_args section: ssh_connection version_added: '2.7' sftp_extra_args: description: Extra exclusive to the ``sftp`` CLI vars: - name: ansible_sftp_extra_args env: - name: ANSIBLE_SFTP_EXTRA_ARGS version_added: '2.7' ini: - key: sftp_extra_args section: ssh_connection version_added: '2.7' ssh_extra_args: description: Extra exclusive to the 'ssh' CLI vars: - name: ansible_ssh_extra_args env: - name: ANSIBLE_SSH_EXTRA_ARGS version_added: '2.7' ini: - key: ssh_extra_args section: ssh_connection version_added: '2.7' retries: # constant: ANSIBLE_SSH_RETRIES description: Number of attempts to connect. default: 3 type: integer env: - name: ANSIBLE_SSH_RETRIES ini: - section: connection key: retries - section: ssh_connection key: retries vars: - name: ansible_ssh_retries version_added: '2.7' port: description: Remote port to connect to. type: int default: 22 ini: - section: defaults key: remote_port env: - name: ANSIBLE_REMOTE_PORT vars: - name: ansible_port - name: ansible_ssh_port remote_user: description: - User name with which to login to the remote server, normally set by the remote_user keyword. - If no user is supplied, Ansible will let the ssh client binary choose the user as it normally ini: - section: defaults key: remote_user env: - name: ANSIBLE_REMOTE_USER vars: - name: ansible_user - name: ansible_ssh_user pipelining: default: ANSIBLE_PIPELINING description: - Pipelining reduces the number of SSH operations required to execute a module on the remote server, by executing many Ansible modules without actual file transfer. - This can result in a very significant performance improvement when enabled. - However this conflicts with privilege escalation (become). For example, when using sudo operations you must first disable 'requiretty' in the sudoers file for the target hosts, which is why this feature is disabled by default. env: - name: ANSIBLE_PIPELINING #- name: ANSIBLE_SSH_PIPELINING ini: - section: defaults key: pipelining #- section: ssh_connection # key: pipelining type: boolean vars: - name: ansible_pipelining - name: ansible_ssh_pipelining private_key_file: description: - Path to private key file to use for authentication ini: - section: defaults key: private_key_file env: - name: ANSIBLE_PRIVATE_KEY_FILE vars: - name: ansible_private_key_file - name: ansible_ssh_private_key_file control_path: description: - This is the location to save ssh's ControlPath sockets, it uses ssh's variable substitution. - Since 2.3, if null, ansible will generate a unique hash. Use `%(directory)s` to indicate where to use the control dir path setting. env: - name: ANSIBLE_SSH_CONTROL_PATH ini: - key: control_path section: ssh_connection vars: - name: ansible_control_path version_added: '2.7' control_path_dir: default: ~/.ansible/cp description: - This sets the directory to use for ssh control path if the control path setting is null. - Also, provides the `%(directory)s` variable for the control path setting. env: - name: ANSIBLE_SSH_CONTROL_PATH_DIR ini: - section: ssh_connection key: control_path_dir vars: - name: ansible_control_path_dir version_added: '2.7' sftp_batch_mode: default: 'yes' description: 'TODO: write it' env: [{name: ANSIBLE_SFTP_BATCH_MODE}] ini: - {key: sftp_batch_mode, section: ssh_connection} type: bool vars: - name: ansible_sftp_batch_mode version_added: '2.7' scp_if_ssh: default: smart description: - "Prefered method to use when transfering files over ssh" - When set to smart, Ansible will try them until one succeeds or they all fail - If set to True, it will force 'scp', if False it will use 'sftp' env: [{name: ANSIBLE_SCP_IF_SSH}] ini: - {key: scp_if_ssh, section: ssh_connection} vars: - name: ansible_scp_if_ssh version_added: '2.7' use_tty: version_added: '2.5' default: 'yes' description: add -tt to ssh commands to force tty allocation env: [{name: ANSIBLE_SSH_USETTY}] ini: - {key: usetty, section: ssh_connection} type: bool vars: - name: ansible_ssh_use_tty version_added: '2.7' ''' import errno import fcntl import hashlib import os import pty import subprocess import time from functools import wraps from ansible import constants as C from ansible.errors import ( AnsibleAuthenticationFailure, AnsibleConnectionFailure, AnsibleError, AnsibleFileNotFound, ) from ansible.errors import AnsibleOptionsError from ansible.compat import selectors from ansible.module_utils.six import PY3, text_type, binary_type from ansible.module_utils.six.moves import shlex_quote from ansible.module_utils._text import to_bytes, to_native, to_text from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean from ansible.plugins.connection import ConnectionBase, BUFSIZE from ansible.utils.path import unfrackpath, makedirs_safe try: from __main__ import display except ImportError: from ansible.utils.display import Display display = Display() b_NOT_SSH_ERRORS = (b'Traceback (most recent call last):', # Python-2.6 when there's an exception # while invoking a script via -m b'PHP Parse error:', # Php always returns error 255 ) SSHPASS_AVAILABLE = None class AnsibleControlPersistBrokenPipeError(AnsibleError): ''' ControlPersist broken pipe ''' pass def _handle_error(remaining_retries, command, return_tuple, no_log, host, display=display): # sshpass errors if command == b'sshpass': # Error 5 is invalid/incorrect password. Raise an exception to prevent retries from locking the account. if return_tuple[0] == 5: msg = 'Invalid/incorrect username/password. Skipping remaining {0} retries to prevent account lockout:'.format(remaining_retries) if remaining_retries <= 0: msg = 'Invalid/incorrect password:' if no_log: msg = '{0} '.format(msg) else: msg = '{0} {1}'.format(msg, to_native(return_tuple[2].rstrip())) raise AnsibleAuthenticationFailure(msg) # sshpass returns codes are 1-6. We handle 5 previously, so this catches other scenarios. # No exception is raised, so the connection is retried. elif return_tuple[0] in [1, 2, 3, 4, 6]: msg = 'sshpass error:' if no_log: msg = '{0} '.format(msg) else: msg = '{0} {1}'.format(msg, to_native(return_tuple[2].rstrip())) if return_tuple[0] == 255: SSH_ERROR = True for signature in b_NOT_SSH_ERRORS: if signature in return_tuple[1]: SSH_ERROR = False break if SSH_ERROR: msg = "Failed to connect to the host via ssh:" if no_log: msg = '{0} '.format(msg) else: msg = '{0} {1}'.format(msg, to_native(return_tuple[2]).rstrip()) raise AnsibleConnectionFailure(msg) # For other errors, no execption is raised so the connection is retried and we only log the messages if 1 <= return_tuple[0] <= 254: msg = "Failed to connect to the host via ssh:" if no_log: msg = '{0} '.format(msg) else: msg = '{0} {1}'.format(msg, to_native(return_tuple[2]).rstrip()) display.vvv(msg, host=host) def _ssh_retry(func): """ Decorator to retry ssh/scp/sftp in the case of a connection failure Will retry if: * an exception is caught * ssh returns 255 Will not retry if * sshpass returns 5 (invalid password, to prevent account lockouts) * remaining_tries is < 2 * retries limit reached """ @wraps(func) def wrapped(self, *args, **kwargs): remaining_tries = int(C.ANSIBLE_SSH_RETRIES) + 1 cmd_summary = "%s..." % args[0] for attempt in range(remaining_tries): cmd = args[0] if attempt != 0 and self._play_context.password and isinstance(cmd, list): # If this is a retry, the fd/pipe for sshpass is closed, and we need a new one self.sshpass_pipe = os.pipe() cmd[1] = b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict') try: try: return_tuple = func(self, *args, **kwargs) if self._play_context.no_log: display.vvv('rc=%s, stdout and stderr censored due to no log' % return_tuple[0], host=self.host) else: display.vvv(return_tuple, host=self.host) # 0 = success # 1-254 = remote command return code # 255 could be a failure from the ssh command itself except (AnsibleControlPersistBrokenPipeError): # Retry one more time because of the ControlPersist broken pipe (see #16731) cmd = args[0] if self._play_context.password and isinstance(cmd, list): # This is a retry, so the fd/pipe for sshpass is closed, and we need a new one self.sshpass_pipe = os.pipe() cmd[1] = b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict') display.vvv(u"RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE") return_tuple = func(self, *args, **kwargs) remaining_retries = remaining_tries - attempt - 1 _handle_error(remaining_retries, cmd[0], return_tuple, self._play_context.no_log, self.host) break # 5 = Invalid/incorrect password from sshpass except AnsibleAuthenticationFailure as e: # Raising this exception, which is subclassed from AnsibleConnectionFailure, prevents further retries raise except (AnsibleConnectionFailure, Exception) as e: if attempt == remaining_tries - 1: raise else: pause = 2 ** attempt - 1 if pause > 30: pause = 30 if isinstance(e, AnsibleConnectionFailure): msg = "ssh_retry: attempt: %d, ssh return code is 255. cmd (%s), pausing for %d seconds" % (attempt + 1, cmd_summary, pause) else: msg = "ssh_retry: attempt: %d, caught exception(%s) from cmd (%s), pausing for %d seconds" % (attempt + 1, e, cmd_summary, pause) display.vv(msg, host=self.host) time.sleep(pause) continue return return_tuple return wrapped class Connection(ConnectionBase): ''' ssh based connections ''' transport = 'ssh' has_pipelining = True become_methods = frozenset(C.BECOME_METHODS).difference(['runas']) def __init__(self, *args, **kwargs): super(Connection, self).__init__(*args, **kwargs) self.host = self._play_context.remote_addr self.port = self._play_context.port self.user = self._play_context.remote_user self.control_path = C.ANSIBLE_SSH_CONTROL_PATH self.control_path_dir = C.ANSIBLE_SSH_CONTROL_PATH_DIR # The connection is created by running ssh/scp/sftp from the exec_command, # put_file, and fetch_file methods, so we don't need to do any connection # management here. def _connect(self): return self @staticmethod def _create_control_path(host, port, user, connection=None, pid=None): '''Make a hash for the controlpath based on con attributes''' pstring = '%s-%s-%s' % (host, port, user) if connection: pstring += '-%s' % connection if pid: pstring += '-%s' % to_text(pid) m = hashlib.sha1() m.update(to_bytes(pstring)) digest = m.hexdigest() cpath = '%(directory)s/' + digest[:10] return cpath @staticmethod def _sshpass_available(): global SSHPASS_AVAILABLE # We test once if sshpass is available, and remember the result. It # would be nice to use distutils.spawn.find_executable for this, but # distutils isn't always available; shutils.which() is Python3-only. if SSHPASS_AVAILABLE is None: try: p = subprocess.Popen(["sshpass"], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() SSHPASS_AVAILABLE = True except OSError: SSHPASS_AVAILABLE = False return SSHPASS_AVAILABLE @staticmethod def _persistence_controls(b_command): ''' Takes a command array and scans it for ControlPersist and ControlPath settings and returns two booleans indicating whether either was found. This could be smarter, e.g. returning false if ControlPersist is 'no', but for now we do it simple way. ''' controlpersist = False controlpath = False for b_arg in (a.lower() for a in b_command): if b'controlpersist' in b_arg: controlpersist = True elif b'controlpath' in b_arg: controlpath = True return controlpersist, controlpath def _add_args(self, b_command, b_args, explanation): """ Adds arguments to the ssh command and displays a caller-supplied explanation of why. :arg b_command: A list containing the command to add the new arguments to. This list will be modified by this method. :arg b_args: An iterable of new arguments to add. This iterable is used more than once so it must be persistent (ie: a list is okay but a StringIO would not) :arg explanation: A text string containing explaining why the arguments were added. It will be displayed with a high enough verbosity. .. note:: This function does its work via side-effect. The b_command list has the new arguments appended. """ display.vvvvv(u'SSH: %s: (%s)' % (explanation, ')('.join(to_text(a) for a in b_args)), host=self._play_context.remote_addr) b_command += b_args def _build_command(self, binary, *other_args): ''' Takes a binary (ssh, scp, sftp) and optional extra arguments and returns a command line as an array that can be passed to subprocess.Popen. ''' b_command = [] # # First, the command to invoke # # If we want to use password authentication, we have to set up a pipe to # write the password to sshpass. if self._play_context.password: if not self._sshpass_available(): raise AnsibleError("to use the 'ssh' connection type with passwords, you must install the sshpass program") self.sshpass_pipe = os.pipe() b_command += [b'sshpass', b'-d' + to_bytes(self.sshpass_pipe[0], nonstring='simplerepr', errors='surrogate_or_strict')] if binary == 'ssh': b_command += [to_bytes(self._play_context.ssh_executable, errors='surrogate_or_strict')] else: b_command += [to_bytes(binary, errors='surrogate_or_strict')] # # Next, additional arguments based on the configuration. # # sftp batch mode allows us to correctly catch failed transfers, but can # be disabled if the client side doesn't support the option. However, # sftp batch mode does not prompt for passwords so it must be disabled # if not using controlpersist and using sshpass if binary == 'sftp' and C.DEFAULT_SFTP_BATCH_MODE: if self._play_context.password: b_args = [b'-o', b'BatchMode=no'] self._add_args(b_command, b_args, u'disable batch mode for sshpass') b_command += [b'-b', b'-'] if self._play_context.verbosity > 3: b_command.append(b'-vvv') # # Next, we add [ssh_connection]ssh_args from ansible.cfg. # if self._play_context.ssh_args: b_args = [to_bytes(a, errors='surrogate_or_strict') for a in self._split_ssh_args(self._play_context.ssh_args)] self._add_args(b_command, b_args, u"ansible.cfg set ssh_args") # Now we add various arguments controlled by configuration file settings # (e.g. host_key_checking) or inventory variables (ansible_ssh_port) or # a combination thereof. if not C.HOST_KEY_CHECKING: b_args = (b"-o", b"StrictHostKeyChecking=no") self._add_args(b_command, b_args, u"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled") if self._play_context.port is not None: b_args = (b"-o", b"Port=" + to_bytes(self._play_context.port, nonstring='simplerepr', errors='surrogate_or_strict')) self._add_args(b_command, b_args, u"ANSIBLE_REMOTE_PORT/remote_port/ansible_port set") key = self._play_context.private_key_file if key: b_args = (b"-o", b'IdentityFile="' + to_bytes(os.path.expanduser(key), errors='surrogate_or_strict') + b'"') self._add_args(b_command, b_args, u"ANSIBLE_PRIVATE_KEY_FILE/private_key_file/ansible_ssh_private_key_file set") if not self._play_context.password: self._add_args( b_command, ( b"-o", b"KbdInteractiveAuthentication=no", b"-o", b"PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey", b"-o", b"PasswordAuthentication=no" ), u"ansible_password/ansible_ssh_pass not set" ) user = self._play_context.remote_user if user: self._add_args( b_command, (b"-o", b"User=" + to_bytes(self._play_context.remote_user, errors='surrogate_or_strict')), u"ANSIBLE_REMOTE_USER/remote_user/ansible_user/user/-u set" ) self._add_args( b_command, (b"-o", b"ConnectTimeout=" + to_bytes(self._play_context.timeout, errors='surrogate_or_strict', nonstring='simplerepr')), u"ANSIBLE_TIMEOUT/timeout set" ) # Add in any common or binary-specific arguments from the PlayContext # (i.e. inventory or task settings or overrides on the command line). for opt in (u'ssh_common_args', u'{0}_extra_args'.format(binary)): attr = getattr(self._play_context, opt, None) if attr is not None: b_args = [to_bytes(a, errors='surrogate_or_strict') for a in self._split_ssh_args(attr)] self._add_args(b_command, b_args, u"PlayContext set %s" % opt) # Check if ControlPersist is enabled and add a ControlPath if one hasn't # already been set. controlpersist, controlpath = self._persistence_controls(b_command) if controlpersist: self._persistent = True if not controlpath: cpdir = unfrackpath(self.control_path_dir) b_cpdir = to_bytes(cpdir, errors='surrogate_or_strict') # The directory must exist and be writable. makedirs_safe(b_cpdir, 0o700) if not os.access(b_cpdir, os.W_OK): raise AnsibleError("Cannot write to ControlPath %s" % to_native(cpdir)) if not self.control_path: self.control_path = self._create_control_path( self.host, self.port, self.user ) b_args = (b"-o", b"ControlPath=" + to_bytes(self.control_path % dict(directory=cpdir), errors='surrogate_or_strict')) self._add_args(b_command, b_args, u"found only ControlPersist; added ControlPath") # Finally, we add any caller-supplied extras. if other_args: b_command += [to_bytes(a) for a in other_args] return b_command def _send_initial_data(self, fh, in_data, ssh_process): ''' Writes initial data to the stdin filehandle of the subprocess and closes it. (The handle must be closed; otherwise, for example, "sftp -b -" will just hang forever waiting for more commands.) ''' display.debug('Sending initial data') try: fh.write(to_bytes(in_data)) fh.close() except (OSError, IOError): # The ssh connection may have already terminated at this point, with a more useful error # Only raise AnsibleConnectionFailure if the ssh process is still alive time.sleep(0.001) ssh_process.poll() if getattr(ssh_process, 'returncode', None) is None: raise AnsibleConnectionFailure( 'SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached ' 'over ssh' % self.host ) display.debug('Sent initial data (%d bytes)' % len(in_data)) # Used by _run() to kill processes on failures @staticmethod def _terminate_process(p): """ Terminate a process, ignoring errors """ try: p.terminate() except (OSError, IOError): pass # This is separate from _run() because we need to do the same thing for stdout # and stderr. def _examine_output(self, source, state, b_chunk, sudoable): ''' Takes a string, extracts complete lines from it, tests to see if they are a prompt, error message, etc., and sets appropriate flags in self. Prompt and success lines are removed. Returns the processed (i.e. possibly-edited) output and the unprocessed remainder (to be processed with the next chunk) as strings. ''' output = [] for b_line in b_chunk.splitlines(True): display_line = to_text(b_line).rstrip('\r\n') suppress_output = False # display.debug("Examining line (source=%s, state=%s): '%s'" % (source, state, display_line)) if self._play_context.prompt and self.check_password_prompt(b_line): display.debug("become_prompt: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_prompt'] = True suppress_output = True elif self._play_context.success_key and self.check_become_success(b_line): display.debug("become_success: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_success'] = True suppress_output = True elif sudoable and self.check_incorrect_password(b_line): display.debug("become_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_error'] = True elif sudoable and self.check_missing_password(b_line): display.debug("become_nopasswd_error: (source=%s, state=%s): '%s'" % (source, state, display_line)) self._flags['become_nopasswd_error'] = True if not suppress_output: output.append(b_line) # The chunk we read was most likely a series of complete lines, but just # in case the last line was incomplete (and not a prompt, which we would # have removed from the output), we retain it to be processed with the # next chunk. remainder = b'' if output and not output[-1].endswith(b'\n'): remainder = output[-1] output = output[:-1] return b''.join(output), remainder def _bare_run(self, cmd, in_data, sudoable=True, checkrc=True): ''' Starts the command and communicates with it until it ends. ''' display_cmd = list(map(shlex_quote, map(to_text, cmd))) display.vvv(u'SSH: EXEC {0}'.format(u' '.join(display_cmd)), host=self.host) # Start the given command. If we don't need to pipeline data, we can try # to use a pseudo-tty (ssh will have been invoked with -tt). If we are # pipelining data, or can't create a pty, we fall back to using plain # old pipes. p = None if isinstance(cmd, (text_type, binary_type)): cmd = to_bytes(cmd) else: cmd = list(map(to_bytes, cmd)) if not in_data: try: # Make sure stdin is a proper pty to avoid tcgetattr errors master, slave = pty.openpty() if PY3 and self._play_context.password: # pylint: disable=unexpected-keyword-arg p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) else: p = subprocess.Popen(cmd, stdin=slave, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdin = os.fdopen(master, 'wb', 0) os.close(slave) except (OSError, IOError): p = None if not p: if PY3 and self._play_context.password: # pylint: disable=unexpected-keyword-arg p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, pass_fds=self.sshpass_pipe) else: p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdin = p.stdin # If we are using SSH password authentication, write the password into # the pipe we opened in _build_command. if self._play_context.password: os.close(self.sshpass_pipe[0]) try: os.write(self.sshpass_pipe[1], to_bytes(self._play_context.password) + b'\n') except OSError as e: # Ignore broken pipe errors if the sshpass process has exited. if e.errno != errno.EPIPE or p.poll() is None: raise os.close(self.sshpass_pipe[1]) # # SSH state machine # # Now we read and accumulate output from the running process until it # exits. Depending on the circumstances, we may also need to write an # escalation password and/or pipelined input to the process. states = [ 'awaiting_prompt', 'awaiting_escalation', 'ready_to_send', 'awaiting_exit' ] # Are we requesting privilege escalation? Right now, we may be invoked # to execute sftp/scp with sudoable=True, but we can request escalation # only when using ssh. Otherwise we can send initial data straightaway. state = states.index('ready_to_send') if to_bytes(self.get_option('ssh_executable')) in cmd and sudoable: if self._play_context.prompt: # We're requesting escalation with a password, so we have to # wait for a password prompt. state = states.index('awaiting_prompt') display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.prompt)) elif self._play_context.become and self._play_context.success_key: # We're requesting escalation without a password, so we have to # detect success/failure before sending any initial data. state = states.index('awaiting_escalation') display.debug(u'Initial state: %s: %s' % (states[state], self._play_context.success_key)) # We store accumulated stdout and stderr output from the process here, # but strip any privilege escalation prompt/confirmation lines first. # Output is accumulated into tmp_*, complete lines are extracted into # an array, then checked and removed or copied to stdout or stderr. We # set any flags based on examining the output in self._flags. b_stdout = b_stderr = b'' b_tmp_stdout = b_tmp_stderr = b'' self._flags = dict( become_prompt=False, become_success=False, become_error=False, become_nopasswd_error=False ) # select timeout should be longer than the connect timeout, otherwise # they will race each other when we can't connect, and the connect # timeout usually fails timeout = 2 + self._play_context.timeout for fd in (p.stdout, p.stderr): fcntl.fcntl(fd, fcntl.F_SETFL, fcntl.fcntl(fd, fcntl.F_GETFL) | os.O_NONBLOCK) # TODO: bcoca would like to use SelectSelector() when open # filehandles is low, then switch to more efficient ones when higher. # select is faster when filehandles is low. selector = selectors.DefaultSelector() selector.register(p.stdout, selectors.EVENT_READ) selector.register(p.stderr, selectors.EVENT_READ) # If we can send initial data without waiting for anything, we do so # before we start polling if states[state] == 'ready_to_send' and in_data: self._send_initial_data(stdin, in_data, p) state += 1 try: while True: poll = p.poll() events = selector.select(timeout) # We pay attention to timeouts only while negotiating a prompt. if not events: # We timed out if state <= states.index('awaiting_escalation'): # If the process has already exited, then it's not really a # timeout; we'll let the normal error handling deal with it. if poll is not None: break self._terminate_process(p) raise AnsibleError('Timeout (%ds) waiting for privilege escalation prompt: %s' % (timeout, to_native(b_stdout))) # Read whatever output is available on stdout and stderr, and stop # listening to the pipe if it's been closed. for key, event in events: if key.fileobj == p.stdout: b_chunk = p.stdout.read() if b_chunk == b'': # stdout has been closed, stop watching it selector.unregister(p.stdout) # When ssh has ControlMaster (+ControlPath/Persist) enabled, the # first connection goes into the background and we never see EOF # on stderr. If we see EOF on stdout, lower the select timeout # to reduce the time wasted selecting on stderr if we observe # that the process has not yet existed after this EOF. Otherwise # we may spend a long timeout period waiting for an EOF that is # not going to arrive until the persisted connection closes. timeout = 1 b_tmp_stdout += b_chunk display.debug("stdout chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) elif key.fileobj == p.stderr: b_chunk = p.stderr.read() if b_chunk == b'': # stderr has been closed, stop watching it selector.unregister(p.stderr) b_tmp_stderr += b_chunk display.debug("stderr chunk (state=%s):\n>>>%s<<<\n" % (state, to_text(b_chunk))) # We examine the output line-by-line until we have negotiated any # privilege escalation prompt and subsequent success/error message. # Afterwards, we can accumulate output without looking at it. if state < states.index('ready_to_send'): if b_tmp_stdout: b_output, b_unprocessed = self._examine_output('stdout', states[state], b_tmp_stdout, sudoable) b_stdout += b_output b_tmp_stdout = b_unprocessed if b_tmp_stderr: b_output, b_unprocessed = self._examine_output('stderr', states[state], b_tmp_stderr, sudoable) b_stderr += b_output b_tmp_stderr = b_unprocessed else: b_stdout += b_tmp_stdout b_stderr += b_tmp_stderr b_tmp_stdout = b_tmp_stderr = b'' # If we see a privilege escalation prompt, we send the password. # (If we're expecting a prompt but the escalation succeeds, we # didn't need the password and can carry on regardless.) if states[state] == 'awaiting_prompt': if self._flags['become_prompt']: display.debug('Sending become_pass in response to prompt') stdin.write(to_bytes(self._play_context.become_pass) + b'\n') # On python3 stdin is a BufferedWriter, and we don't have a guarantee # that the write will happen without a flush stdin.flush() self._flags['become_prompt'] = False state += 1 elif self._flags['become_success']: state += 1 # We've requested escalation (with or without a password), now we # wait for an error message or a successful escalation. if states[state] == 'awaiting_escalation': if self._flags['become_success']: display.vvv('Escalation succeeded') self._flags['become_success'] = False state += 1 elif self._flags['become_error']: display.vvv('Escalation failed') self._terminate_process(p) self._flags['become_error'] = False raise AnsibleError('Incorrect %s password' % self._play_context.become_method) elif self._flags['become_nopasswd_error']: display.vvv('Escalation requires password') self._terminate_process(p) self._flags['become_nopasswd_error'] = False raise AnsibleError('Missing %s password' % self._play_context.become_method) elif self._flags['become_prompt']: # This shouldn't happen, because we should see the "Sorry, # try again" message first. display.vvv('Escalation prompt repeated') self._terminate_process(p) self._flags['become_prompt'] = False raise AnsibleError('Incorrect %s password' % self._play_context.become_method) # Once we're sure that the privilege escalation prompt, if any, has # been dealt with, we can send any initial data and start waiting # for output. if states[state] == 'ready_to_send': if in_data: self._send_initial_data(stdin, in_data, p) state += 1 # Now we're awaiting_exit: has the child process exited? If it has, # and we've read all available output from it, we're done. if poll is not None: if not selector.get_map() or not events: break # We should not see further writes to the stdout/stderr file # descriptors after the process has closed, set the select # timeout to gather any last writes we may have missed. timeout = 0 continue # If the process has not yet exited, but we've already read EOF from # its stdout and stderr (and thus no longer watching any file # descriptors), we can just wait for it to exit. elif not selector.get_map(): p.wait() break # Otherwise there may still be outstanding data to read. finally: selector.close() # close stdin after process is terminated and stdout/stderr are read # completely (see also issue #848) stdin.close() if C.HOST_KEY_CHECKING: if cmd[0] == b"sshpass" and p.returncode == 6: raise AnsibleError('Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support ' 'this. Please add this host\'s fingerprint to your known_hosts file to manage this host.') controlpersisterror = b'Bad configuration option: ControlPersist' in b_stderr or b'unknown configuration option: ControlPersist' in b_stderr if p.returncode != 0 and controlpersisterror: raise AnsibleError('using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" ' '(or ssh_args in [ssh_connection] section of the config file) before running again') # If we find a broken pipe because of ControlPersist timeout expiring (see #16731), # we raise a special exception so that we can retry a connection. controlpersist_broken_pipe = b'mux_client_hello_exchange: write packet: Broken pipe' in b_stderr if p.returncode == 255 and controlpersist_broken_pipe: raise AnsibleControlPersistBrokenPipeError('SSH Error: data could not be sent because of ControlPersist broken pipe.') if p.returncode == 255 and in_data and checkrc: raise AnsibleConnectionFailure('SSH Error: data could not be sent to remote host "%s". Make sure this host can be reached over ssh' % self.host) return (p.returncode, b_stdout, b_stderr) @_ssh_retry def _run(self, cmd, in_data, sudoable=True, checkrc=True): """Wrapper around _bare_run that retries the connection """ return self._bare_run(cmd, in_data, sudoable=sudoable, checkrc=checkrc) @_ssh_retry def _file_transport_command(self, in_path, out_path, sftp_action): # scp and sftp require square brackets for IPv6 addresses, but # accept them for hostnames and IPv4 addresses too. host = '[%s]' % self.host # Transfer methods to try methods = [] # Use the transfer_method option if set, otherwise use scp_if_ssh ssh_transfer_method = self._play_context.ssh_transfer_method if ssh_transfer_method is not None: if not (ssh_transfer_method in ('smart', 'sftp', 'scp', 'piped')): raise AnsibleOptionsError('transfer_method needs to be one of [smart|sftp|scp|piped]') if ssh_transfer_method == 'smart': methods = ['sftp', 'scp', 'piped'] else: methods = [ssh_transfer_method] else: # since this can be a non-bool now, we need to handle it correctly scp_if_ssh = C.DEFAULT_SCP_IF_SSH if not isinstance(scp_if_ssh, bool): scp_if_ssh = scp_if_ssh.lower() if scp_if_ssh in BOOLEANS: scp_if_ssh = boolean(scp_if_ssh, strict=False) elif scp_if_ssh != 'smart': raise AnsibleOptionsError('scp_if_ssh needs to be one of [smart|True|False]') if scp_if_ssh == 'smart': methods = ['sftp', 'scp', 'piped'] elif scp_if_ssh is True: methods = ['scp'] else: methods = ['sftp'] for method in methods: returncode = stdout = stderr = None if method == 'sftp': cmd = self._build_command(self.get_option('sftp_executable'), to_bytes(host)) in_data = u"{0} {1} {2}\n".format(sftp_action, shlex_quote(in_path), shlex_quote(out_path)) in_data = to_bytes(in_data, nonstring='passthru') (returncode, stdout, stderr) = self._bare_run(cmd, in_data, checkrc=False) elif method == 'scp': scp = self.get_option('scp_executable') if sftp_action == 'get': cmd = self._build_command(scp, u'{0}:{1}'.format(host, shlex_quote(in_path)), out_path) else: cmd = self._build_command(scp, in_path, u'{0}:{1}'.format(host, shlex_quote(out_path))) in_data = None (returncode, stdout, stderr) = self._bare_run(cmd, in_data, checkrc=False) elif method == 'piped': if sftp_action == 'get': # we pass sudoable=False to disable pty allocation, which # would end up mixing stdout/stderr and screwing with newlines (returncode, stdout, stderr) = self.exec_command('dd if=%s bs=%s' % (in_path, BUFSIZE), sudoable=False) with open(to_bytes(out_path, errors='surrogate_or_strict'), 'wb+') as out_file: out_file.write(stdout) else: with open(to_bytes(in_path, errors='surrogate_or_strict'), 'rb') as f: in_data = to_bytes(f.read(), nonstring='passthru') if not in_data: count = ' count=0' else: count = '' (returncode, stdout, stderr) = self.exec_command('dd of=%s bs=%s%s' % (out_path, BUFSIZE, count), in_data=in_data, sudoable=False) # Check the return code and rollover to next method if failed if returncode == 0: return (returncode, stdout, stderr) else: # If not in smart mode, the data will be printed by the raise below if len(methods) > 1: display.warning(msg='%s transfer mechanism failed on %s. Use ANSIBLE_DEBUG=1 to see detailed information' % (method, host)) display.debug(msg='%s' % to_native(stdout)) display.debug(msg='%s' % to_native(stderr)) if returncode == 255: raise AnsibleConnectionFailure("Failed to connect to the host via %s: %s" % (method, to_native(stderr))) else: raise AnsibleError("failed to transfer file to %s %s:\n%s\n%s" % (to_native(in_path), to_native(out_path), to_native(stdout), to_native(stderr))) # # Main public methods # def exec_command(self, cmd, in_data=None, sudoable=True): ''' run a command on the remote host ''' super(Connection, self).exec_command(cmd, in_data=in_data, sudoable=sudoable) display.vvv(u"ESTABLISH SSH CONNECTION FOR USER: {0}".format(self._play_context.remote_user), host=self._play_context.remote_addr) # we can only use tty when we are not pipelining the modules. piping # data into /usr/bin/python inside a tty automatically invokes the # python interactive-mode but the modules are not compatible with the # interactive-mode ("unexpected indent" mainly because of empty lines) ssh_executable = self._play_context.ssh_executable # -tt can cause various issues in some environments so allow the user # to disable it as a troubleshooting method. use_tty = self.get_option('use_tty') if not in_data and sudoable and use_tty: args = (ssh_executable, '-tt', self.host, cmd) else: args = (ssh_executable, self.host, cmd) cmd = self._build_command(*args) (returncode, stdout, stderr) = self._run(cmd, in_data, sudoable=sudoable) return (returncode, stdout, stderr) def put_file(self, in_path, out_path): ''' transfer a file from local to remote ''' super(Connection, self).put_file(in_path, out_path) display.vvv(u"PUT {0} TO {1}".format(in_path, out_path), host=self.host) if not os.path.exists(to_bytes(in_path, errors='surrogate_or_strict')): raise AnsibleFileNotFound("file or module does not exist: {0}".format(to_native(in_path))) return self._file_transport_command(in_path, out_path, 'put') def fetch_file(self, in_path, out_path): ''' fetch a file from remote to local ''' super(Connection, self).fetch_file(in_path, out_path) display.vvv(u"FETCH {0} TO {1}".format(in_path, out_path), host=self.host) return self._file_transport_command(in_path, out_path, 'get') def reset(self): # If we have a persistent ssh connection (ControlPersist), we can ask it to stop listening. cmd = self._build_command(self._play_context.ssh_executable, '-O', 'stop', self.host) controlpersist, controlpath = self._persistence_controls(cmd) cp_arg = [a for a in cmd if a.startswith(b"ControlPath=")] # only run the reset if the ControlPath already exists or if it isn't # configured and ControlPersist is set run_reset = False if controlpersist and len(cp_arg) > 0: cp_path = cp_arg[0].split(b"=", 1)[-1] if os.path.exists(cp_path): run_reset = True elif controlpersist: run_reset = True if run_reset: display.vvv(u'sending stop: %s' % cmd) p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) stdout, stderr = p.communicate() status_code = p.wait() if status_code != 0: display.warning("Failed to reset connection:%s" % stderr) self.close() def close(self): self._connected = False