how to add ssh host-keys for lots of new cloud hosts?
34 views
Skip to first unread message
Mark Zhitomirski
Nov 22, 2018, 6:22:42 AM11/22/18
to Ansible Project
Traditional approach is to leave it to a human operator and warn him of a new host key.
This way is a no-go for automation and testing, a workaround is to disable host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
It seems to me that a better way would be to auto-add host-key if this is a wholly new host (and maybe check for key uniqueness).
My understanding is that this is a job for a certain Ansible plugin, cause host-key handling is not dependent on specific cloud/provisioning module (digital_ocean_droplet in my case)
So far I couldn't find any plugin of this sort and kindly ask for pointers.
Regards,
MZ
James Cassell
Nov 24, 2018, 12:30:54 AM11/24/18
to Ansible List
Set ansible_ssh_extra_args="-o StrictHostKeyChecking=no"
V/r,
James Cassell
> --
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/4adc8c21-d5ed-46d9-9f46-57bdfa77c723%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
V/r,
James Cassell
> You received this message because you are subscribed to the Google
> Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/4adc8c21-d5ed-46d9-9f46-57bdfa77c723%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Kai Stian Olstad
Nov 24, 2018, 4:25:13 AM11/24/18
to ansible...@googlegroups.com
On Thursday, 22 November 2018 12:22:42 CET Mark Zhitomirski wrote:
> Traditional approach is to leave it to a human operator and warn him of a
> new host key.
> This way is a no-go for automation and testing, a workaround is to disable
> host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
> like here:
> https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
>
> It seems to me that a better way would be to auto-add host-key if this is a
> wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is
> Traditional approach is to leave it to a human operator and warn him of a
> new host key.
> This way is a no-go for automation and testing, a workaround is to disable
> host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
> like here:
> https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
>
> It seems to me that a better way would be to auto-add host-key if this is a
> wholly new host (and maybe check for key uniqueness).
StrictHostKeyChecking=accept-new
> My understanding is that this is a job for a certain Ansible plugin, cause
> host-key handling is not dependent on specific cloud/provisioning module
> (digital_ocean_droplet in my case)
> So far I couldn't find any plugin of this sort and kindly ask for pointers.
To do this in a secure manner you need to inject a know or a sign ssh host key in the instance at creation time.
--
Kai Stian Olstad
Mark Zhitomirski
Nov 25, 2018, 7:45:20 AM11/25/18
to ansible...@googlegroups.com
On Sat, Nov 24, 2018 at 12:25 PM Kai Stian Olstad <ansible-pr...@olstad.com> wrote:
On Thursday, 22 November 2018 12:22:42 CET Mark Zhitomirski wrote:
> Traditional approach is to leave it to a human operator and warn him of a
> new host key.
> This way is a no-go for automation and testing, a workaround is to disable
> host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
> like here:
> https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
>
> It seems to me that a better way would be to auto-add host-key if this is a
> wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is
StrictHostKeyChecking=accept-new
That's interesting, I'll check that.
> My understanding is that this is a job for a certain Ansible plugin, cause
> host-key handling is not dependent on specific cloud/provisioning module
> (digital_ocean_droplet in my case)
> So far I couldn't find any plugin of this sort and kindly ask for pointers.
Ansible i relying on ssh and doesn't handle this for the Ansible controller since it have no way of knowing if the host key is valid or not.
To do this in a secure manner you need to inject a know or a sign ssh host key in the instance at creation time.
I do not pursuit 100% control of host-key, there's little point to do so for a public cloud host instance.
Basic sanity check is OK for me and for majority of cloud users I suppose.
Hope I'll find a way to it using your pointer.
Thanks Kai!
--
Kai Stian Olstad
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/17153902.pEk8bVcs9g%40x1.
For more options, visit https://groups.google.com/d/optout.
MZ
Mark Zhitomirski
Nov 26, 2018, 5:35:30 AM11/26/18
to ansible...@googlegroups.com
On Sat, Nov 24, 2018 at 12:25 PM Kai Stian Olstad <ansible-pr...@olstad.com> wrote:
On Thursday, 22 November 2018 12:22:42 CET Mark Zhitomirski wrote:
> Traditional approach is to leave it to a human operator and warn him of a
> new host key.
> This way is a no-go for automation and testing, a workaround is to disable
> host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
> like here:
> https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
>
> It seems to me that a better way would be to auto-add host-key if this is a
> wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is
StrictHostKeyChecking=accept-new
this looks like an option for those having OpenSSH >= 7.6 (released 2017-10-03)
Ubuntu 18.04 and up have it, Ubuntu 16.04, Centos and many others are not so lucky (
> My understanding is that this is a job for a certain Ansible plugin, cause
> host-key handling is not dependent on specific cloud/provisioning module
> (digital_ocean_droplet in my case)
> So far I couldn't find any plugin of this sort and kindly ask for pointers.
Ansible i relying on ssh and doesn't handle this for the Ansible controller since it have no way of knowing if the host key is valid or not.
To do this in a secure manner you need to inject a know or a sign ssh host key in the instance at creation time.
--
Kai Stian Olstad
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/17153902.pEk8bVcs9g%40x1.
For more options, visit https://groups.google.com/d/optout.
MZ
Reply all
Reply to author
Forward
0 new messages