Not able to Pass SSH Key Passphrase in Rundeck Job
Deljin davis
Hi Team,
I was trying to pass an SSH key passphrase using a secure job option in Rundeck, as an option named password. However, this approach is not working—the job fails with an error stating that it could not read the passphrase.
I do not want to save the passphrase in Rundeck Key Storage, as the key is highly confidential. Could you please advise if there is any way to pass the passphrase securely without storing it in Key Storage?
Thank you for your help.
Xavier Humbert
Hi
I use this job definition t o check if an upgrade is required :
- defaultTab: output
description: Needs Xavier's private key passphrase
executionEnabled: true
id: ba2ca1b0-36a2-4e0f-8f62-27a8704c72d4
loglevel: INFO
name: Mise a jour de sécurité OS
nodeFilterEditable: false
nodefilters:
dispatch:
excludePrecedence: true
keepgoing: true
rankOrder: ascending
successOnEmptyNodeFilter: false
threadcount: '10'
filter: tags:rhel9+rd
nodesSelectedByDefault: true
options:
- label: Passphrase
name: sshKeyPassphrase
required: true
secure: true
plugins:
ExecutionLifecycle: {}
scheduleEnabled: true
sequence:
commands:
- autoSecureInput: 'false'
passSecureInput: 'false'
script: "#! /bin/bash\n\nsudo dnf --assumeno update
--security|| true \necho \"Done !\"\n"
keepgoing: false
strategy: node-first
uuid: ba2ca1b0-36a2-4e0f-8f62-27a8704c72d4
With this in the nodes descrition :
"ssh-key-passphrase-option":
"option.sshKeyPassphrase",
"ssh-authentication": "privateKey",
"ssh-keypath":
"keys/project/RUNDECK-UPDATE/id_rsa-xhumbert",
--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rundeck-discuss/f1b337e7-8ed3-4bd4-8b7e-acf6e41126d3n%40googlegroups.com.
-- Xavier Humbert CRT Supervision et Exploitation de Niveau 1 Direction des Services d'Information du Grand Est Rectorat de l'Académie de Nancy-Metz Ministère de l'Éducation Nationale et de la Jeunesse 03 83 86 27 39
Deljin davis
Hi Xavier,
Thank you for your response. I would like to clarify the issue in detail:
-
I created a job option as a password using “Plain Text with Password Input – value exposed in scripts and commands.” If I use the fourth input type, This option can only be used in node executors for authentication, there should be a default value taken from the keystore.
-
I created an Ansible playbook workflow step using the SSH passphrase from the secure option as ${option.password} (I also tried option.password), but it does not work and returns the error mentioned in our previous conversation.
-
When I store the passphrase in the keystore and load it into the Ansible playbook, it works correctly. However, it does not work when using the password option directly in the job.
Passing the password value to a script or command step works as expected, but the same approach fails in an Ansible playbook workflow step. I would prefer not to store the key passphrase in the keystore, as I want to pass it securely at runtime. Currently, this secure runtime option does not function as intended for the Ansible playbook step.
Best regards,
Deljin Davis Kanukadan
Deljin davis
I was able to solve the problem by setting the passphrase option to secure. and using option.password to pass it to the playbook. But I would like to know how can I use this logic in the anisble adhoc node executor as there is no place where we can define the option variable for node excecuters.
Regards,
Deljin Davis Kanukadan