'Unknown host key error' only happens when running a playbook
848 views
Skip to first unread message
Mauricio Tavares
Aug 22, 2019, 9:46:42 AM8/22/19
to ansible...@googlegroups.com
So I want to reach out to my router. I first try
raub@desktop:~/dev/ansible$ ssh jan...@uranus.example.com
janitor@uranus. example.com's password:
which is expected since I have ssh'd into the router quite many times
from this computer. i.e. by now it knows uranus quite well. Just to be
paranoid, let's try port 830 as this is a Juniper router:
raub@desktop:~/dev/ansible$ ssh -p 830 jan...@uranus.mgmt.kushana.com
jan...@uranus.mgmt.kushana.com's password:
So far so good. Then I run a quick ansible test:
raub@desktop:~/dev/ansible$ ansible-playbook -vvv network.yml --limit uranus
[...]
ok: [uranus] => {
"changed": false,
"elapsed": 0,
"invocation": {
"module_args": {
"active_connection_states": [
"ESTABLISHED",
"FIN_WAIT1",
"FIN_WAIT2",
"SYN_RECV",
"SYN_SENT",
"TIME_WAIT"
],
"connect_timeout": 5,
"delay": 0,
"exclude_hosts": null,
"host": "uranus.example.com",
"msg": null,
"path": null,
"port": 830,
"search_regex": null,
"sleep": 1,
"state": "started",
"timeout": 300
}
},
"match_groupdict": {},
"match_groups": [],
"path": null,
"port": 830,
"search_regex": null,
"state": "started"
}
TASK [network : Get facts about "uranus"]
****************************************
task path: /home/raub/dev/ansible/roles/network/tasks/juniper.yml:9
<uranus> using connection plugin netconf (was local)
<uranus> ESTABLISH NETCONF SSH CONNECTION FOR USER: janitor on PORT
830 TO uranus
The full traceback is:
Traceback (most recent call last):
File "/usr/bin/ansible-connection", line 104, in start
self.connection._connect()
File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/netconf.py",
line 327, in _connect
raise AnsibleConnectionFailure(to_native(exc))
AnsibleConnectionFailure: Unknown host key
[4e:a5:b7:0f:cf:a7:45:1b:e0:0a:d8:96:63:d9:6c:fc] for [uranus]
fatal: [uranus]: FAILED! => {
"msg": "Unknown host key
[4e:a5:b7:0f:cf:a7:45:1b:e0:0a:d8:96:63:d9:6c:fc] for [uranus]"
}
PLAY RECAP ***********************************************************************
uranus : ok=3 changed=0 unreachable=0
failed=1 skipped=0 rescued=0 ignored=0
I would expect an ""Unknown host key" error to mean it has never
connected to the router. Does that mean it is not using the
~/.ssh/known_hosts file?
raub@desktop:~/dev/ansible$ ssh jan...@uranus.example.com
janitor@uranus. example.com's password:
which is expected since I have ssh'd into the router quite many times
from this computer. i.e. by now it knows uranus quite well. Just to be
paranoid, let's try port 830 as this is a Juniper router:
raub@desktop:~/dev/ansible$ ssh -p 830 jan...@uranus.mgmt.kushana.com
jan...@uranus.mgmt.kushana.com's password:
So far so good. Then I run a quick ansible test:
raub@desktop:~/dev/ansible$ ansible-playbook -vvv network.yml --limit uranus
[...]
ok: [uranus] => {
"changed": false,
"elapsed": 0,
"invocation": {
"module_args": {
"active_connection_states": [
"ESTABLISHED",
"FIN_WAIT1",
"FIN_WAIT2",
"SYN_RECV",
"SYN_SENT",
"TIME_WAIT"
],
"connect_timeout": 5,
"delay": 0,
"exclude_hosts": null,
"host": "uranus.example.com",
"msg": null,
"path": null,
"port": 830,
"search_regex": null,
"sleep": 1,
"state": "started",
"timeout": 300
}
},
"match_groupdict": {},
"match_groups": [],
"path": null,
"port": 830,
"search_regex": null,
"state": "started"
}
TASK [network : Get facts about "uranus"]
****************************************
task path: /home/raub/dev/ansible/roles/network/tasks/juniper.yml:9
<uranus> using connection plugin netconf (was local)
<uranus> ESTABLISH NETCONF SSH CONNECTION FOR USER: janitor on PORT
830 TO uranus
The full traceback is:
Traceback (most recent call last):
File "/usr/bin/ansible-connection", line 104, in start
self.connection._connect()
File "/usr/lib/python2.7/dist-packages/ansible/plugins/connection/netconf.py",
line 327, in _connect
raise AnsibleConnectionFailure(to_native(exc))
AnsibleConnectionFailure: Unknown host key
[4e:a5:b7:0f:cf:a7:45:1b:e0:0a:d8:96:63:d9:6c:fc] for [uranus]
fatal: [uranus]: FAILED! => {
"msg": "Unknown host key
[4e:a5:b7:0f:cf:a7:45:1b:e0:0a:d8:96:63:d9:6c:fc] for [uranus]"
}
PLAY RECAP ***********************************************************************
uranus : ok=3 changed=0 unreachable=0
failed=1 skipped=0 rescued=0 ignored=0
I would expect an ""Unknown host key" error to mean it has never
connected to the router. Does that mean it is not using the
~/.ssh/known_hosts file?
Zolvaring
Aug 22, 2019, 3:31:44 PM8/22/19
to Ansible Project
I don't know why the Ansible playbook would respond differently to the host key unless it's not running as the same user that you ssh with, so someone else will hopefully answer that but what I can suggest if you're willing to forego host key checking you can run the play with 'export ANSIBLE_HOST_KEY_CHECKING=False', there is also an option for this you can set in the configuration file. Obviously you can also try ssh-keyscan and see if the host keys are different from your known hosts file, but the env var will skip that check altogether (obvious security implications)
Mauricio Tavares
Aug 22, 2019, 3:35:57 PM8/22/19
to ansible...@googlegroups.com
On Thu, Aug 22, 2019 at 3:31 PM Zolvaring <zolv...@gmail.com> wrote:
>
> I don't know why the Ansible playbook would respond differently to the host key unless it's not running as the same user that you ssh with, so someone else will hopefully answer that but what I can suggest if you're willing to forego host key checking you can run the play with 'export ANSIBLE_HOST_KEY_CHECKING=False', there is also an option for this you can set in the configuration file. Obviously you can also try ssh-keyscan and see if the host keys are different from your known hosts file, but the env var will skip that check altogether (obvious security implications)
>
What I have been doing for now is running it as
>
> I don't know why the Ansible playbook would respond differently to the host key unless it's not running as the same user that you ssh with, so someone else will hopefully answer that but what I can suggest if you're willing to forego host key checking you can run the play with 'export ANSIBLE_HOST_KEY_CHECKING=False', there is also an option for this you can set in the configuration file. Obviously you can also try ssh-keyscan and see if the host keys are different from your known hosts file, but the env var will skip that check altogether (obvious security implications)
>
ANSIBLE_HOST_KEY_CHECKING=False ansible-playbook -vvv network.yml --limit uranus
which is still not what I want to do but it is slightly better than
just exporting the variable for all to fondle.
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7b990313-7b47-47a0-b494-23c973417a1c%40googlegroups.com.
Wawrzek Niewodniczanski
Aug 23, 2019, 3:36:02 AM8/23/19
to ansible...@googlegroups.com
On Thu, 22 Aug 2019 at 20:35, Mauricio Tavares <raub...@gmail.com> wrote:
>
> On Thu, Aug 22, 2019 at 3:31 PM Zolvaring <zolv...@gmail.com> wrote:
> >
> > I don't know why the Ansible playbook would respond differently to the host key unless it's not running as the same user that you ssh with,
[...]
>
> On Thu, Aug 22, 2019 at 3:31 PM Zolvaring <zolv...@gmail.com> wrote:
> >
> > I don't know why the Ansible playbook would respond differently to the host key unless it's not running as the same user that you ssh with,
Anything special (any user definition) in hosts file and/or playbook?
Maybe, it is related to netconf
(https://docs.ansible.com/ansible/latest/plugins/connection/netconf.html)?
Wawrzek
--
Dr Wawrzyniec Niewodniczański or Wawrzek for short
PhD in Quantum Chemistry & MSc in Molecular Engineering
WWW: http://wawrzek.name E-MAIL: jo...@wawrzek.name
Linux User #177124
Reply all
Reply to author
Forward
0 new messages