Merge pull request #6713 from hashicorp/cleanup_keys

new option allowing user to clean up the ephemeral ssh key from the a…

builder/alicloud/ecs/builder.go

@@ -157,6 +157,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.RunConfig.Comm,
+		},
 		&stepStopAlicloudInstance{
 			ForceStop: b.config.ForceStopInstance,
 		},

builder/amazon/ebs/builder.go

@@ -211,6 +211,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.RunConfig.Comm,
+		},
 		&awscommon.StepStopEBSBackedInstance{
 			Skip:                b.config.IsSpotInstance(),
 			DisableStopInstance: b.config.DisableStopInstance,

builder/amazon/ebssurrogate/builder.go

@@ -228,6 +228,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.RunConfig.Comm,
+		},
 		&awscommon.StepStopEBSBackedInstance{
 			Skip:                b.config.IsSpotInstance(),
 			DisableStopInstance: b.config.DisableStopInstance,

builder/amazon/ebsvolume/builder.go

@@ -203,6 +203,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.RunConfig.Comm,
+		},
 		&awscommon.StepStopEBSBackedInstance{
 			Skip:                b.config.IsSpotInstance(),
 			DisableStopInstance: b.config.DisableStopInstance,

builder/amazon/instance/builder.go

@@ -286,6 +286,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.RunConfig.Comm,
+		},
 		&StepUploadX509Cert{},
 		&StepBundleVolume{
 			Debug: b.config.PackerDebug,

builder/azure/arm/builder.go

@@ -177,6 +177,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 				SSHConfig: b.config.Comm.SSHConfigFunc(),
 			},
 			&packerCommon.StepProvision{},
+			&packerCommon.StepCleanupTempKeys{
+				Comm: &b.config.Comm,
+			},
 			NewStepGetOSDisk(azureClient, ui),
 			NewStepGetAdditionalDisks(azureClient, ui),
 			NewStepPowerOffCompute(azureClient, ui),

builder/cloudstack/builder.go

@@ -82,6 +82,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			WinRMPort: commPort,
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		&stepShutdownInstance{},
 		&stepCreateTemplate{},
 	}

builder/digitalocean/builder.go

@@ -90,6 +90,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		new(common.StepProvision),
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		new(stepShutdown),
 		new(stepPowerOff),
 		new(stepSnapshot),

builder/docker/builder.go

@@ -54,6 +54,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			},
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 	}
 
 	if b.config.Discard {

builder/googlecompute/builder.go

@@ -71,6 +71,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			WinRMConfig: winrmConfig,
 		},
 		new(common.StepProvision),
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 	}
 	if _, exists := b.config.Metadata[StartupScriptKey]; exists || b.config.StartupScriptFile != "" {
 		steps = append(steps, new(StepWaitStartupScript))

builder/hyperv/iso/builder.go

@@ -460,6 +460,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 		// provision requires communicator to be setup
 		&common.StepProvision{},
 
+		// Remove ephemeral key from authorized_hosts if using SSH communicator
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
+
 		&hypervcommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

builder/hyperv/vmcx/builder.go

@@ -489,6 +489,11 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 		// provision requires communicator to be setup
 		&common.StepProvision{},
 
+		// Remove ephemeral SSH keys, if using
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
+
 		&hypervcommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

builder/ncloud/builder.go

@@ -54,6 +54,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 				SSHConfig: b.config.Comm.SSHConfigFunc(),
 			},
 			&common.StepProvision{},
+			&common.StepCleanupTempKeys{
+				Comm: &b.config.Comm,
+			},
 			NewStepStopServerInstance(conn, ui),
 			NewStepCreateServerImage(conn, ui, b.config),
 			NewStepDeleteBlockStorageInstance(conn, ui, b.config),

builder/oneandone/builder.go

@@ -48,6 +48,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		new(stepTakeSnapshot),
 	}
 

builder/openstack/builder.go

@@ -133,6 +133,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.RunConfig.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.RunConfig.Comm,
+		},
 		&StepStopServer{},
 		&StepDetachVolume{
 			UseBlockStorageVolume: b.config.UseBlockStorageVolume,

builder/oracle/classic/builder.go

@@ -77,6 +77,12 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		&stepSnapshot{},
 		&stepListImages{},
 	}

builder/oracle/oci/builder.go

@@ -69,6 +69,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		&stepImage{},
 	}
 

builder/parallels/iso/builder.go

@@ -209,6 +209,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Ctx:                     b.config.ctx,
 		},
 		new(common.StepProvision),
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
 		&parallelscommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

builder/parallels/pvm/builder.go

@@ -102,6 +102,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,
 		},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
 		&parallelscommon.StepPrlctl{
 			Commands: b.config.PrlctlPost,
 			Ctx:      b.config.ctx,

builder/profitbricks/builder.go

@@ -45,6 +45,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		new(stepTakeSnapshot),
 	}
 

builder/qemu/builder.go

@@ -403,6 +403,12 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 	steps = append(steps,
 		new(common.StepProvision),
 	)
+
+	steps = append(steps,
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
+	)
 	steps = append(steps,
 		new(stepShutdown),
 	)

builder/scaleway/builder.go

@@ -61,6 +61,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		new(common.StepProvision),
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.Comm,
+		},
 		new(stepShutdown),
 		new(stepSnapshot),
 		new(stepImage),

builder/triton/builder.go

@@ -68,6 +68,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			SSHConfig: b.config.Comm.SSHConfigFunc(),
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &config.Comm,
+		},
 		&StepStopMachine{},
 		&StepCreateImageFromMachine{},
 		&StepDeleteMachine{},

builder/virtualbox/iso/builder.go

@@ -267,6 +267,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Ctx:                b.config.ctx,
 		},
 		new(common.StepProvision),
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
 		&vboxcommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

builder/virtualbox/ovf/builder.go

@@ -128,6 +128,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Ctx:                b.config.ctx,
 		},
 		new(common.StepProvision),
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
 		&vboxcommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

builder/vmware/iso/builder.go

@@ -368,6 +368,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Ctx:               b.config.ctx,
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
 		&vmwcommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

builder/vmware/vmx/builder.go

@@ -111,6 +111,9 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Ctx:               b.config.ctx,
 		},
 		&common.StepProvision{},
+		&common.StepCleanupTempKeys{
+			Comm: &b.config.SSHConfig.Comm,
+		},
 		&vmwcommon.StepShutdown{
 			Command: b.config.ShutdownCommand,
 			Timeout: b.config.ShutdownTimeout,

common/step_cleanup_temp_keys.go

@@ -0,0 +1,56 @@
+package common
+
+import (
+	"context"
+	"fmt"
+	"log"
+
+	"github.com/hashicorp/packer/helper/communicator"
+	"github.com/hashicorp/packer/helper/multistep"
+	"github.com/hashicorp/packer/packer"
+)
+
+type StepCleanupTempKeys struct {
+	Comm *communicator.Config
+}
+
+func (s *StepCleanupTempKeys) Run(_ context.Context, state multistep.StateBag) multistep.StepAction {
+	// This step is mostly cosmetic; Packer deletes the ephemeral keys anyway
+	// so there's no realistic situation where these keys can cause issues.
+	// However, it's nice to clean up after yourself.
+
+	comm := state.Get("communicator").(packer.Communicator)
+	ui := state.Get("ui").(packer.Ui)
+
+	if !s.Comm.SSHClearAuthorizedKeys {
+		return multistep.ActionContinue
+	}
+
+	if s.Comm.Type != "ssh" {
+		return multistep.ActionContinue
+	}
+
+	if s.Comm.SSHTemporaryKeyPairName == "" {
+		return multistep.ActionContinue
+	}
+
+	cmd := new(packer.RemoteCmd)
+
+	ui.Say("Trying to remove ephemeral keys from authorized_keys files")
+
+	cmd.Command = fmt.Sprintf("sed -i.bak '/ssh-rsa.*%s$/d' ~/.ssh/authorized_keys; rm ~/.ssh/authorized_keys.bak", s.Comm.SSHTemporaryKeyPairName)
+	if err := cmd.StartWithUi(comm, ui); err != nil {
+		log.Printf("Error cleaning up ~/.ssh/authorized_keys; please clean up keys manually: %s", err)
+	}
+	cmd = new(packer.RemoteCmd)
+	cmd.Command = fmt.Sprintf("sudo sed -i.bak '/ssh-rsa.*%s$/d' /root/.ssh/authorized_keys; sudo rm /root/.ssh/authorized_keys.bak", s.Comm.SSHTemporaryKeyPairName)
+
+	if err := cmd.StartWithUi(comm, ui); err != nil {
+		log.Printf("Error cleaning up /root/.ssh/authorized_keys; please clean up keys manually: %s", err)
+	}
+
+	return multistep.ActionContinue
+}
+
+func (s *StepCleanupTempKeys) Cleanup(state multistep.StateBag) {
+}

helper/communicator/config.go

@@ -31,6 +31,7 @@ type Config struct {
 	SSHPrivateKey             []byte        `mapstructure:"ssh_private_key"`
 	SSHKeyPairName            string        `mapstructure:"ssh_keypair_name"`
 	SSHTemporaryKeyPairName   string        `mapstructure:"temporary_key_pair_name"`
+	SSHClearAuthorizedKeys    bool          `mapstructure:"ssh_clear_authorized_keys"`
 	SSHPrivateKeyFile         string        `mapstructure:"ssh_private_key_file"`
 	SSHInterface              string        `mapstructure:"ssh_interface"`
 	SSHIPVersion              string        `mapstructure:"ssh_ip_version"`

website/source/docs/templates/communicator.html.md

@@ -79,6 +79,13 @@ The SSH communicator has the following options:
 -   `ssh_bastion_username` (string) - The username to connect to the bastion
     host.
 
+-   `ssh_clear_authorized_keys` (boolean) - If true, Packer will attempt to
+    remove its temporary key from `~/.ssh/authorized_keys` and
+    `/root/.ssh/authorized_keys`. This is a mostly cosmetic option, since Packer
+    will delete the temporary private key from the host system regardless of
+    whether this is set to true (unless the user has set the `-debug` flag).
+    Defaults to "false"; currently only works on guests with `sed` installed.
+
 -   `ssh_disable_agent_forwarding` (boolean) - If true, SSH agent forwarding
     will be disabled. Defaults to `false`.