summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Vandiver <alexmv@dropbox.com>2015-07-22 11:51:37 -0700
committerAlex Vandiver <alexmv@dropbox.com>2015-07-22 11:51:40 -0700
commit2a498ae29cd2d4eeac52fa123bb97e5e2d5b1c90 (patch)
tree932d58e2ff3d5b4984ff92eb14dcbbdf78d829c2
parent231f711e3f0ccb8601bea55f0e6d562b8674488e (diff)
Explitly unset SSH_AUTH_SOCK; it is preferred to the -i flag
Even if the -i flag is explicitly passed via the command line, openssh ignores the identity file if an socket exists to an SSH authentication agent. In cases where puppet has been configured to use an explicit identity file, altering behavior based on the calling environment of puppet violates the principle of least surprise, and can lead to inconsistent deployments. Work around this odd corner case of ssh by explicitly unsetting SSH_AUTH_SOCK inside the ssh wrapper.
-rw-r--r--lib/puppet/provider/vcsrepo/git.rb1
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/puppet/provider/vcsrepo/git.rb b/lib/puppet/provider/vcsrepo/git.rb
index bf11f3d..7e921a9 100644
--- a/lib/puppet/provider/vcsrepo/git.rb
+++ b/lib/puppet/provider/vcsrepo/git.rb
@@ -425,6 +425,7 @@ Puppet::Type.type(:vcsrepo).provide(:git, :parent => Puppet::Provider::Vcsrepo)
if @resource.value(:identity)
Tempfile.open('git-helper', Puppet[:statedir]) do |f|
f.puts '#!/bin/sh'
+ f.puts 'export SSH_AUTH_SOCKET='
f.puts "exec ssh -oStrictHostKeyChecking=no -oPasswordAuthentication=no -oKbdInteractiveAuthentication=no -oChallengeResponseAuthentication=no -oConnectTimeout=120 -i #{@resource.value(:identity)} $*"
f.close