Add default timeout to legacy ssh.ClientConfig (#15440)

* Add default timeout to legacy ssh.ClientConfig When using the deprecated Dynamic SSH Keys method, Vault will make an outbound SSH connection to an arbitrary remote host to place SSH keys. We now set a timeout of 1 minute for this connection. It is strongly recommended consumers of this SSH secrets engine feature migrate to the more secure, and otherwise equivalent, SSH certificates method. Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com> * Add changelog Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
2022-05-16 12:36:47 -04:00 · 2022-05-16 12:36:47 -04:00 · 0ce7c3b331
parent 71372e4ea8
commit 0ce7c3b331
2 changed files with 4 additions and 0 deletions
--- a/builtin/logical/ssh/util.go
+++ b/builtin/logical/ssh/util.go
@ -171,6 +171,7 @@ func createSSHComm(logger log.Logger, username, ip string, port int, hostkey str
 			ssh.PublicKeys(signer),
 		},
 		HostKeyCallback: insecureIgnoreHostWarning(logger),
+		Timeout:         1 * time.Minute,
 	}

 	connfunc := func() (net.Conn, error) {
--- a/changelog/15440.txt
+++ b/changelog/15440.txt
@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode.
+```