paramiko_ssh_runner: add pubkey certificates

freddierice · freddierice · commit 97e67afb1551 · 2025-08-14T10:23:38.000-05:00
diff --git a/st2common/st2common/runners/parallel_ssh.py b/st2common/st2common/runners/parallel_ssh.py
@@ -46,6 +46,7 @@ def __init__(
         password=None,
         pkey_file=None,
         pkey_material=None,
+        pkey_certificate=None,
         port=22,
         bastion_host=None,
         concurrency=10,
@@ -68,6 +69,7 @@ def __init__(
         self._ssh_user = user
         self._ssh_key_file = pkey_file
         self._ssh_key_material = pkey_material
+        self._ssh_key_certificate = pkey_certificate
         self._ssh_password = password
         self._hosts = hosts
         self._successful_connects = 0
@@ -270,6 +272,7 @@ def _connect(self, host, results, raise_on_any_error=False):
             bastion_host=self._bastion_host,
             key_files=self._ssh_key_file,
             key_material=self._ssh_key_material,
+            key_certificate=self._ssh_key_certificate,
             passphrase=self._passphrase,
             handle_stdout_line_func=self._handle_stdout_line_func,
             handle_stderr_line_func=self._handle_stderr_line_func,
diff --git a/st2common/st2common/runners/paramiko_ssh.py b/st2common/st2common/runners/paramiko_ssh.py
@@ -102,6 +102,7 @@ def __init__(
         bastion_host=None,
         key_files=None,
         key_material=None,
+        key_certificate=None,
         timeout=None,
         passphrase=None,
         handle_stdout_line_func=None,
@@ -125,6 +126,7 @@ def __init__(
         self.key_files = key_files
         self.timeout = timeout
         self.key_material = key_material
+        self.key_certificate = key_certificate
         self.bastion_host = bastion_host
         self.passphrase = passphrase
         self.ssh_connect_timeout = cfg.CONF.ssh_runner.ssh_connect_timeout
@@ -628,14 +630,16 @@ def _get_decoded_data(self, data):
             self.logger.exception("Non UTF-8 character found in data: %s", data)
             raise
 
-    def _get_pkey_object(self, key_material, passphrase):
+    def _get_pkey_object(self, key_material, passphrase, key_certificate=None):
         """
         Try to detect private key type and return paramiko.PKey object.
         """
 
         for cls in [paramiko.RSAKey, paramiko.DSSKey, paramiko.ECDSAKey]:
             try:
                 key = cls.from_private_key(StringIO(key_material), password=passphrase)
+                if key_certificate is not None:
+                    key.load_certificate(key_certificate)
             except paramiko.ssh_exception.SSHException:
                 # Invalid key, try other key type
                 pass
@@ -758,8 +762,8 @@ def _connect(self, host, socket=None):
 
         if self.key_material:
             conninfo["pkey"] = self._get_pkey_object(
-                key_material=self.key_material, passphrase=self.passphrase
-            )
+                key_material=self.key_material, passphrase=self.passphrase,
+                key_certificate=self.key_certificate)
 
         if not self.password and not (self.key_files or self.key_material):
             conninfo["allow_agent"] = True
diff --git a/st2common/st2common/runners/paramiko_ssh_runner.py b/st2common/st2common/runners/paramiko_ssh_runner.py
@@ -38,6 +38,7 @@
 RUNNER_USERNAME = "username"
 RUNNER_PASSWORD = "password"
 RUNNER_PRIVATE_KEY = "private_key"
+RUNNER_CERTIFICATE = "certificate"
 RUNNER_PARALLEL = "parallel"
 RUNNER_SUDO = "sudo"
 RUNNER_SUDO_PASSWORD = "sudo_password"
@@ -64,6 +65,7 @@ def __init__(self, runner_id):
         self._username = None
         self._password = None
         self._private_key = None
+        self._certificate = None
         self._passphrase = None
         self._kwarg_op = "--"
         self._cwd = None
@@ -93,6 +95,7 @@ def pre_run(self):
         self._username = self.runner_parameters.get(RUNNER_USERNAME, None)
         self._password = self.runner_parameters.get(RUNNER_PASSWORD, None)
         self._private_key = self.runner_parameters.get(RUNNER_PRIVATE_KEY, None)
+        self._certificate = self.runner_parameters.get(RUNNER_CERTIFICATE, None)
         self._passphrase = self.runner_parameters.get(RUNNER_PASSPHRASE, None)
 
         self._ssh_port = self.runner_parameters.get(RUNNER_SSH_PORT, None)
@@ -200,6 +203,9 @@ def store_stderr_line(line):
             # Default to stanley key file specified in the config
             client_kwargs["pkey_file"] = self._ssh_key_file
 
+        if self._certificate:
+            client_kwargs["pkey_certificate"] = self._certificate
+
         if self._sudo_password:
             client_kwargs["sudo_password"] = True
 
