Setting ANSIBLE_HOST_KEY_CHECKING per host

[junkmailt...@gmail.com]

Is it possible to set ANSIBLE_HOST_KEY_CHECKING on a per host or host group basis? This would help prevent my known_hosts file from becoming cluttered with test boxes but still ensure when I talk to production hosts I can verify their identity.

[Erik-jan Riemers]

You can do a ssh-keyscan and generate the production servers and make it into a known_hosts file, this will remove all your tests servers and keep production in there. Something like:
    ssh-keyscan -t rsa -H "<servername>,<servername2>,<servername3>" > ~/.ssh/known_hosts

Don't know if its what you want, but its an option.. ;p

Op vrijdag 27 februari 2015 21:31:26 UTC+1 schreef junkmailt...@gmail.com:

[junkmailt...@gmail.com]

Good to know, but not quite what I'm looking for.

[Tom Bamford]

You could perhaps achieve this with a crafted ssh_config. Especially if your hosts are named predictably.

Consider if your production hosts have names in the form host5.prod.domain.net and other environments are different such as host3.stage.domain.net

A corresponding ssh_config might be (note that first option match wins):

Host *.prod.domain.net
StrictHostKeyChecking yes

Host *.domain.net
StrictHostKeyChecking no

Hope this helps

On 27 February 2015 at 22:31, <junkmailt...@gmail.com> wrote:

Is it possible to set ANSIBLE_HOST_KEY_CHECKING on a per host or host group basis? This would help prevent my known_hosts file from becoming cluttered with test boxes but still ensure when I talk to production hosts I can verify their identity.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/aea601ab-0423-4cf5-8111-380bf4384f94%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

​

[Brian Coca]

you can set asnbile_ssh_args per group/host

--
Brian Coca

[junkmailt...@gmail.com]

Does this override any ssh_args setting I have in ansible.cfg?

Adding ansible_ssh_args='-o StrictHostKeyChecking=no' after the host in the inventory file didn't seem to do anything.

Also it seem like in general using StrictHostKeyChecking still adds the key to knownhosts, it just doesn't ask first.

[Michael Peters]

Can you really set ansible_ssh_args per group/host? I remember trying
it a while ago and it didn't work. And it's not mentioned here:
http://docs.ansible.com/intro_inventory.html#list-of-behavioral-inventory-parameters

I'll admit I haven't tried it in a while, but can someone confirm that
it actually works?

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8%3DeAbsWh6fL9OCjPXHM9iTCsynkybtK8N-o__n3Wp7C3Q%40mail.gmail.com.

[Brian Coca]

nevermind that was a PR that i was using but not accepted



--
Brian Coca