Add default timeout to legacy ssh.ClientConfig (#15440)

* Add default timeout to legacy ssh.ClientConfig

When using the deprecated Dynamic SSH Keys method, Vault will make an
outbound SSH connection to an arbitrary remote host to place SSH keys.
We now set a timeout of 1 minute for this connection.

It is strongly recommended consumers of this SSH secrets engine feature
migrate to the more secure, and otherwise equivalent, SSH certificates
method.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
This commit is contained in:
Alexander Scheel 2022-05-16 12:36:47 -04:00 committed by GitHub
parent 71372e4ea8
commit 0ce7c3b331
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 4 additions and 0 deletions

View File

@ -171,6 +171,7 @@ func createSSHComm(logger log.Logger, username, ip string, port int, hostkey str
ssh.PublicKeys(signer), ssh.PublicKeys(signer),
}, },
HostKeyCallback: insecureIgnoreHostWarning(logger), HostKeyCallback: insecureIgnoreHostWarning(logger),
Timeout: 1 * time.Minute,
} }
connfunc := func() (net.Conn, error) { connfunc := func() (net.Conn, error) {

3
changelog/15440.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/ssh: Add connection timeout of 1 minute for outbound SSH connection in deprecated Dynamic SSH Keys mode.
```