From 3681f1e983e603db8b4be46e6fd793f535dbad50 Mon Sep 17 00:00:00 2001 From: Lucas Bajolet Date: Wed, 19 Apr 2023 17:40:17 -0400 Subject: [PATCH] communicator: don't set bastion cert if key is set When attempting to set the bastion key/certificate for authenticating with the bastion, we generally fallback to the ones defined by the SSH configuration. However, if the bastion SSH key is set, and not the certificate, but the SSH connection's are, since the conditions are separate, we end-up in a situation where the bastion's SSH key uses the one from the config, and the certificate fall backs to the one from the SSH connection. This in turn fails, as the certificate's public key matches the private key from the SSH connection, and not the bastion's. To avoid a situation like this, we only fallback to the SSH connection's certificate if the bastion's SSH key isn't set. --- communicator/config.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/communicator/config.go b/communicator/config.go index 331104b3e..e9160d919 100644 --- a/communicator/config.go +++ b/communicator/config.go @@ -503,12 +503,12 @@ func (c *Config) prepareSSH(ctx *interpolate.Context) []error { if c.SSHBastionPrivateKeyFile == "" && c.SSHPrivateKeyFile != "" { c.SSHBastionPrivateKeyFile = c.SSHPrivateKeyFile - } - if c.SSHBastionCertificateFile == "" && c.SSHCertificateFile != "" { - c.SSHBastionCertificateFile = c.SSHCertificateFile + // Only try to set the bastion certificate to the ssh certificate if the bastion private key isn't set + if c.SSHBastionCertificateFile == "" && c.SSHCertificateFile != "" { + c.SSHBastionCertificateFile = c.SSHCertificateFile + } } - } if c.SSHProxyHost != "" {