"invalid indirect expansion" message on Ubuntu/Mint

[MegaDrive68k]

Using the plugin under Ubuntu 20.04.1 and Linux Mint 20 always print the following messages (WAR based installation):

It seems related to how these linux distributions interprets ssh.exec.sh and ssh-copy.sh files (at libext/cache path).

Related: https://stackoverflow.com/a/8515492/10426011

On Centos WAR based installation works well.

[syrm]

Any new ? :-)

[DerDanilo]

Still the same with 2.0.1:
/var/lib/rundeck/libext/cache/openssh-node-execution-2.0.1/ssh-exec.sh: line 92: rd_secure_passphrase: invalid indirect expansion

Ubuntu 20.04 and Debian 10

 92    if [[ -n "${!rd_secure_passphrase}" ]]; then
 93         mkdir -p "/tmp/.ssh-exec"
 94         SSH_KEY_PASSPHRASE_STORAGE_PATH=$(mktemp "/tmp/.ssh-exec/ssh-passfile.$USER@$HOST.XXXXX")
 95         echo "${!rd_secure_passphrase}" > "$SSH_KEY_PASSPHRASE_STORAGE_PATH"
 96
 97         RUNSSH="sshpass -P passphrase -f $SSH_KEY_PASSPHRASE_STORAGE_PATH ssh $SSHOPTS $USER@$HOST $CMD"
 98
 99         trap 'rm "$SSH_KEY_PASSPHRASE_STORAGE_PATH"' EXIT
100     fi

[ghost]

Having the same issue, running Rundeck under Kubernetes. We updated several images and the issue seems to be when updating both Debian to v10 and JRE to version 11. We'll investigate further.

[ghost]

Issue seems related to Debian 10, which now logs warning when an empty expansion is passed.

A quick (and dirty) solution may be to put in each Rundeck project "SSH Passphrase with a Job Option" with "option.passphrase", for both Node Executor and File Copier.
Another solution would be to test the passphrase expansion variable in ssh-exec and ssh-copy bash script before, I guess...

[syrm]

You could try replace ${!rd_secure_passphrase} by ${rd_secure_passphrase+x}

[DerDanilo]

Can this please be fixed upstream somehow? The problem also persists to other modules/scripts from 'openssh-node-execution'.

[dldrk]

Still happening on 3.3.9, plugin 2.0.1 version with password or private key, Deb install

VERSION="20.04.1 LTS (Focal Fossa)"
VERSION_ID="20.04"
VERSION_CODENAME=focal

GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu)

[scornet256]

You could try replace ${!rd_secure_passphrase} by ${rd_secure_passphrase+x}

This worked for me on Ubuntu 20.04 with Rundeck 3.3.9.

[psykotox]

Same problem with Debian Buster and rundeck 3.3.12 (plugin 2.0.1) 😐
@ltamaster or another contributor, can you do this quick fix ?

[ttoossaa]

I have the same issue. An upstream fix would be great. Thanks.

[1kUHuiswkvj7spRO]

Also seeing this issue on 3.4.9, Ubuntu 20.04. DEB install.

[Burning94]

Same than booshlinux

[xavier8854]

FWIW, the issue is still present on Ubuntu 22.04LTS, with Rundeck 4.3.0
Xavier

[erhhung]

While it works by replacing ${!rd_secure_passphrase} by ${rd_secure_passphrase+x} as mentioned, I'm finding that when I restart the service (sudo service rundeckd restart), the ssh-copy.sh script under /var/lib/rundeck/libext/cache/openssh-node-execution-2.0.2/ gets "refreshed" to their original, unpatched versions.
I'm running Rundeck 4.4.0.20220714-1 on Amazon Linux 2 (CentOS).

Where can i "hook in" to the service startup process so I can add a sed command to patch ssh-copy.sh after it performs a refresh of those scripts?

sudo sed -Ei 's/\$\{\!rd_secure_passphrase\}/${rd_secure_passphrase+x}/g' /var/lib/rundeck/libext/cache/openssh-node-execution-2.0.2/ssh-copy.sh

[tanji]

The issue is still visible after upgrading:

**/var/lib/rundeck/libext/cache/openssh-node-execution-2.0.2/ssh-copy.sh: line 93: rd_secure_passphrase: invalid indirect expansion
**

[halradaideh]

still here
4.6.1

[panticz]

The rd_secure_passphrase: invalid indirect expansion issue still appears on Rundeck build: 4.10.0-SNAPSHOT (Docker Container) and openssh-node-execution 2.0.2 when openssh executor (ssh-exec / ssh-copier) is chosen:

/home/rundeck/libext/cache/openssh-node-execution-2.0.2/ssh-copy.sh: line 93: rd_secure_passphrase: invalid indirect expansion

The executor is configured by

rd projects configure update -p MyProject1 -- \
  --service.FileCopier.default.provider=ssh-copier \
  --service.NodeExecutor.default.provider=ssh-exec \
  --project.plugin.NodeExecutor.ssh-exec.authentication=privatekey \
  --project.plugin.FileCopier.ssh-copier.authentication=privatekey \
  --project.plugin.NodeExecutor.ssh-exec.ssh_key_storage_path=keys/id_rsa \
  --project.plugin.FileCopier.ssh-copier.ssh_key_storage_path=keys/id_rsa

Until the issue is fixed a simple workaround may by:

rd projects configure update -p MyProject1 -- \
  --project.plugin.FileCopier.ssh-copier.ssh_key_passphrase_option=fix_me

[daniel-chamberland]

@erhhung This ssh-copy.sh file exists in the openssh-node-execution plug-in, currently still broken in plug-in version 2.0.2. Until this gets fixed, you can update ssh-copy.sh in that plug-in yourself. When RunDeck restarts, the plug-in is extracted to the cache folder you indicate.

Note that this issue has been reported here: #31

Location of plug-in on my Ubuntu 20.04 system running RunDeck 4.10.1: /var/lib/rundeck/libext/openssh-node-execution-2.0.2.zip

To match the changes already made to ssh-exec.sh, then:

Replace
if [[ -n "${!rd_secure_passphrase}" ]]; then with
if [[ -n $rd_secure_passphrase ]] && [[ -n "${!rd_secure_passphrase}" ]]; then

And replace
if [[ -n "${!rd_secure_password}" ]]; then with
if [[ -n "$rd_secure_password" ]] && [[ -n "${!rd_secure_password}" ]]; then

I'm trying to automate this so I don't have to do it manually every time I update RunDeck or build a new deployment. I'm able to use sed in bash to update the ssh-copy.sh script, which you can use to update the plug-in .zip file. It looks messy, but it works. It'll preserve any number of whitespaces that exist before the matching statement:

unzip -o /var/lib/rundeck/libext/openssh-node-execution-2.0.2.zip -d /home/rundeck/temp

sed -i 's/^\([[:blank:]]*\)if \[\[ -n "\${!rd_secure_passphrase}" \]\]; then$/\1if \[\[ -n \$rd_secure_passphrase \]\] \&\& \[\[ -n "\${!rd_secure_passphrase}" \]\]; then/g' openssh-node-execution-2.0.2/contents/ssh-copy.sh

sed -i 's/^\([[:blank:]]*\)if \[\[ -n "\${!rd_secure_password}" \]\]; then$/\1if \[\[ -n "\$rd_secure_password" \]\] \&\& \[\[ -n "${!rd_secure_password}" \]\]; then/g' openssh-node-execution-2.0.2/contents/ssh-copy.sh

cd /home/rundeck/temp

zip /var/lib/rundeck/libext/openssh-node-execution-2.0.2.zip openssh-node-execution-2.0.2/contents/ssh-copy.sh

[Kuermel]

@L2JE Would be great if you could have a look at the pull request. This small fix should be able to close this only half-fixed issue finally.
#32

[sravanthic12]

You could try replace ${!rd_secure_passphrase} by ${rd_secure_passphrase+x}

But we restart Rundeck service, it replacing with original string ${!rd_secure_passphrase} in the file. Can we include in rundeckd file to replace this after every restart?

[xavier8854]

Still present in 5.3.0

[xavier8854]

Please, fix this, is it still present in 5.4.0. Manually patching is irrelevant forb the exposed reasons

[DerDanilo]

I don't understand why this is ignored for such a long time? How do others work arround this?

[sravanthic12]

I downloaded plugin openssh-node-execution-2.0.3 version and installed it on my Rundeck 5.1.1
I don't find any issues now.