From 0ce7c3b3313f599f534618d35cdb6ef907d4254e Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Mon, 16 May 2022 12:36:47 -0400
Subject: [PATCH] Add default timeout to legacy ssh.ClientConfig (#15440)

* Add default timeout to legacy ssh.ClientConfig

When using the deprecated Dynamic SSH Keys method, Vault will make an
outbound SSH connection to an arbitrary remote host to place SSH keys.
We now set a timeout of 1 minute for this connection.

It is strongly recommended consumers of this SSH secrets engine feature
migrate to the more secure, and otherwise equivalent, SSH certificates
method.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/ssh/util.go | 1 +
 changelog/15440.txt         | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 changelog/15440.txt

diff --git a/builtin/logical/ssh/util.go b/builtin/logical/ssh/util.go
index 4c924758f..afc4997ec 100644
--- a/builtin/logical/ssh/util.go
+++ b/builtin/logical/ssh/util.go
@@ -171,6 +171,7 @@ func createSSHComm(logger log.Logger, username, ip string, port int, hostkey str
 			ssh.PublicKeys(signer),
 		},
 		HostKeyCallback: insecureIgnoreHostWarning(logger),
+		Timeout:         1 * time.Minute,
 	}
 
 	connfunc := func() (net.Conn, error) {
diff --git a/changelog/15440.txt b/changelog/15440.txt
new file mode 100644
index 000000000..36e0c7944
--- /dev/null
+++ b/changelog/15440.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode.
+```