diff --git a/builtin/provisioners/remote-exec/resource_provisioner.go b/builtin/provisioners/remote-exec/resource_provisioner.go
index 7fdf37cb3..04e2fe12a 100644
--- a/builtin/provisioners/remote-exec/resource_provisioner.go
+++ b/builtin/provisioners/remote-exec/resource_provisioner.go
@@ -14,7 +14,6 @@ import (
 	"code.google.com/p/go.crypto/ssh"
 	helper "github.com/hashicorp/terraform/helper/ssh"
 	"github.com/hashicorp/terraform/terraform"
-	"github.com/mitchellh/mapstructure"
 )
 
 const (
@@ -37,29 +36,15 @@ const (
 
 type ResourceProvisioner struct{}
 
-// SSHConfig is decoded from the ConnInfo of the resource. These
-// are the only keys we look at. If a KeyFile is given, that is used
-// instead of a password.
-type SSHConfig struct {
-	User       string
-	Password   string
-	KeyFile    string `mapstructure:"key_file"`
-	Host       string
-	Port       int
-	Timeout    string
-	ScriptPath string        `mapstructure:"script_path"`
-	TimeoutVal time.Duration `mapstructure:"-"`
-}
-
 func (p *ResourceProvisioner) Apply(s *terraform.ResourceState,
 	c *terraform.ResourceConfig) (*terraform.ResourceState, error) {
 	// Ensure the connection type is SSH
-	if err := p.verifySSH(s); err != nil {
+	if err := helper.VerifySSH(s); err != nil {
 		return s, err
 	}
 
 	// Get the SSH configuration
-	conf, err := p.sshConfig(s)
+	conf, err := helper.ParseSSHConfig(s)
 	if err != nil {
 		return s, err
 	}
@@ -100,50 +85,6 @@ func (p *ResourceProvisioner) Validate(c *terraform.ResourceConfig) (ws []string
 	return
 }
 
-// verifySSH is used to verify the ConnInfo is usable by remote-exec
-func (p *ResourceProvisioner) verifySSH(s *terraform.ResourceState) error {
-	connType := s.ConnInfo["type"]
-	switch connType {
-	case "":
-	case "ssh":
-	default:
-		return fmt.Errorf("Connection type '%s' not supported", connType)
-	}
-	return nil
-}
-
-// sshConfig is used to convert the ConnInfo of the ResourceState into
-// a SSHConfig struct
-func (p *ResourceProvisioner) sshConfig(s *terraform.ResourceState) (*SSHConfig, error) {
-	sshConf := &SSHConfig{}
-	decConf := &mapstructure.DecoderConfig{
-		WeaklyTypedInput: true,
-		Result:           sshConf,
-	}
-	dec, err := mapstructure.NewDecoder(decConf)
-	if err != nil {
-		return nil, err
-	}
-	if err := dec.Decode(s.ConnInfo); err != nil {
-		return nil, err
-	}
-	if sshConf.User == "" {
-		sshConf.User = DefaultUser
-	}
-	if sshConf.Port == 0 {
-		sshConf.Port = DefaultPort
-	}
-	if sshConf.ScriptPath == "" {
-		sshConf.ScriptPath = DefaultScriptPath
-	}
-	if sshConf.Timeout != "" {
-		sshConf.TimeoutVal = safeDuration(sshConf.Timeout, DefaultTimeout)
-	} else {
-		sshConf.TimeoutVal = DefaultTimeout
-	}
-	return sshConf, nil
-}
-
 // generateScript takes the configuration and creates a script to be executed
 // from the inline configs
 func (p *ResourceProvisioner) generateScript(c *terraform.ResourceConfig) (string, error) {
@@ -234,7 +175,7 @@ func (p *ResourceProvisioner) collectScripts(c *terraform.ResourceConfig) ([]io.
 }
 
 // runScripts is used to copy and execute a set of scripts
-func (p *ResourceProvisioner) runScripts(conf *SSHConfig, scripts []io.ReadCloser) error {
+func (p *ResourceProvisioner) runScripts(conf *helper.SSHConfig, scripts []io.ReadCloser) error {
 	sshConf := &ssh.ClientConfig{
 		User: conf.User,
 	}
@@ -334,16 +275,6 @@ func retryFunc(timeout time.Duration, f func() error) error {
 	}
 }
 
-// safeDuration returns either the parsed duration or a default value
-func safeDuration(dur string, defaultDur time.Duration) time.Duration {
-	d, err := time.ParseDuration(dur)
-	if err != nil {
-		log.Printf("Invalid duration '%s' for remote-exec, using default", dur)
-		return defaultDur
-	}
-	return d
-}
-
 // streamLogs is used to stream lines from stdout/stderr
 // of a remote command to log output for users.
 func streamLogs(r io.ReadCloser, name string) {
diff --git a/builtin/provisioners/remote-exec/resource_provisioner_test.go b/builtin/provisioners/remote-exec/resource_provisioner_test.go
index 5d6dca377..74944771f 100644
--- a/builtin/provisioners/remote-exec/resource_provisioner_test.go
+++ b/builtin/provisioners/remote-exec/resource_provisioner_test.go
@@ -41,64 +41,6 @@ func TestResourceProvider_Validate_bad(t *testing.T) {
 	}
 }
 
-func TestResourceProvider_verifySSH(t *testing.T) {
-	p := new(ResourceProvisioner)
-	r := &terraform.ResourceState{
-		ConnInfo: map[string]string{
-			"type": "telnet",
-		},
-	}
-	if err := p.verifySSH(r); err == nil {
-		t.Fatalf("expected error with telnet")
-	}
-	r.ConnInfo["type"] = "ssh"
-	if err := p.verifySSH(r); err != nil {
-		t.Fatalf("err: %v", err)
-	}
-}
-
-func TestResourceProvider_sshConfig(t *testing.T) {
-	p := new(ResourceProvisioner)
-	r := &terraform.ResourceState{
-		ConnInfo: map[string]string{
-			"type":     "ssh",
-			"user":     "root",
-			"password": "supersecret",
-			"key_file": "/my/key/file.pem",
-			"host":     "127.0.0.1",
-			"port":     "22",
-			"timeout":  "30s",
-		},
-	}
-
-	conf, err := p.sshConfig(r)
-	if err != nil {
-		t.Fatalf("err: %v", err)
-	}
-
-	if conf.User != "root" {
-		t.Fatalf("bad: %v", conf)
-	}
-	if conf.Password != "supersecret" {
-		t.Fatalf("bad: %v", conf)
-	}
-	if conf.KeyFile != "/my/key/file.pem" {
-		t.Fatalf("bad: %v", conf)
-	}
-	if conf.Host != "127.0.0.1" {
-		t.Fatalf("bad: %v", conf)
-	}
-	if conf.Port != 22 {
-		t.Fatalf("bad: %v", conf)
-	}
-	if conf.Timeout != "30s" {
-		t.Fatalf("bad: %v", conf)
-	}
-	if conf.ScriptPath != DefaultScriptPath {
-		t.Fatalf("bad: %v", conf)
-	}
-}
-
 func TestResourceProvider_generateScript(t *testing.T) {
 	p := new(ResourceProvisioner)
 	conf := testConfig(t, map[string]interface{}{
diff --git a/helper/ssh/provisioner.go b/helper/ssh/provisioner.go
new file mode 100644
index 000000000..e4844cc06
--- /dev/null
+++ b/helper/ssh/provisioner.go
@@ -0,0 +1,96 @@
+package ssh
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/hashicorp/terraform/terraform"
+	"github.com/mitchellh/mapstructure"
+)
+
+const (
+	// DefaultUser is used if there is no default user given
+	DefaultUser = "root"
+
+	// DefaultPort is used if there is no port given
+	DefaultPort = 22
+
+	// DefaultScriptPath is used as the path to copy the file to
+	// for remote execution if not provided otherwise.
+	DefaultScriptPath = "/tmp/script.sh"
+
+	// DefaultTimeout is used if there is no timeout given
+	DefaultTimeout = 5 * time.Minute
+
+	// DefaultShebang is added at the top of the script file
+	DefaultShebang = "#!/bin/sh"
+)
+
+// SSHConfig is decoded from the ConnInfo of the resource. These
+// are the only keys we look at. If a KeyFile is given, that is used
+// instead of a password.
+type SSHConfig struct {
+	User       string
+	Password   string
+	KeyFile    string `mapstructure:"key_file"`
+	Host       string
+	Port       int
+	Timeout    string
+	ScriptPath string        `mapstructure:"script_path"`
+	TimeoutVal time.Duration `mapstructure:"-"`
+}
+
+// verifySSH is used to verify the ConnInfo is usable by remote-exec
+func VerifySSH(s *terraform.ResourceState) error {
+	connType := s.ConnInfo["type"]
+	switch connType {
+	case "":
+	case "ssh":
+	default:
+		return fmt.Errorf("Connection type '%s' not supported", connType)
+	}
+	return nil
+}
+
+// ParseSSHConfig is used to convert the ConnInfo of the ResourceState into
+// a SSHConfig struct
+func ParseSSHConfig(s *terraform.ResourceState) (*SSHConfig, error) {
+	sshConf := &SSHConfig{}
+	decConf := &mapstructure.DecoderConfig{
+		WeaklyTypedInput: true,
+		Result:           sshConf,
+	}
+	dec, err := mapstructure.NewDecoder(decConf)
+	if err != nil {
+		return nil, err
+	}
+	if err := dec.Decode(s.ConnInfo); err != nil {
+		return nil, err
+	}
+	if sshConf.User == "" {
+		sshConf.User = DefaultUser
+	}
+	if sshConf.Port == 0 {
+		sshConf.Port = DefaultPort
+	}
+	if sshConf.ScriptPath == "" {
+		sshConf.ScriptPath = DefaultScriptPath
+	}
+	if sshConf.Timeout != "" {
+		sshConf.TimeoutVal = safeDuration(sshConf.Timeout, DefaultTimeout)
+	} else {
+		sshConf.TimeoutVal = DefaultTimeout
+	}
+	return sshConf, nil
+}
+
+// safeDuration returns either the parsed duration or a default value
+func safeDuration(dur string, defaultDur time.Duration) time.Duration {
+	d, err := time.ParseDuration(dur)
+	if err != nil {
+		log.Printf("Invalid duration '%s', using default of %s", dur, defaultDur)
+		return defaultDur
+	}
+	return d
+}
diff --git a/helper/ssh/provisioner_test.go b/helper/ssh/provisioner_test.go
new file mode 100644
index 000000000..c215e8d29
--- /dev/null
+++ b/helper/ssh/provisioner_test.go
@@ -0,0 +1,63 @@
+package ssh
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestResourceProvider_verifySSH(t *testing.T) {
+	r := &terraform.ResourceState{
+		ConnInfo: map[string]string{
+			"type": "telnet",
+		},
+	}
+	if err := VerifySSH(r); err == nil {
+		t.Fatalf("expected error with telnet")
+	}
+	r.ConnInfo["type"] = "ssh"
+	if err := VerifySSH(r); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+}
+
+func TestResourceProvider_sshConfig(t *testing.T) {
+	r := &terraform.ResourceState{
+		ConnInfo: map[string]string{
+			"type":     "ssh",
+			"user":     "root",
+			"password": "supersecret",
+			"key_file": "/my/key/file.pem",
+			"host":     "127.0.0.1",
+			"port":     "22",
+			"timeout":  "30s",
+		},
+	}
+
+	conf, err := ParseSSHConfig(r)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	if conf.User != "root" {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.Password != "supersecret" {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.KeyFile != "/my/key/file.pem" {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.Host != "127.0.0.1" {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.Port != 22 {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.Timeout != "30s" {
+		t.Fatalf("bad: %v", conf)
+	}
+	if conf.ScriptPath != DefaultScriptPath {
+		t.Fatalf("bad: %v", conf)
+	}
+}