How to manage ssh known hosts
3,436 views
Skip to first unread message
David Reagan
Aug 15, 2013, 2:29:03 PM8/15/13
to ansible...@googlegroups.com
When I ssh into a server for the first time, ssh always asks me if the ECDSA key fingerprint is correct. When I say yes, it adds that to my ~/.ssh/known_hosts file.
I'd like to use ansible to create a known_hosts file that accurately represents all my servers. Then I can set that in /etc/ssh/ssh_known_hosts, and safely tell my servers to ignore each users individual known_hosts file. That will let me run ssh operations between my servers without having to accept an ECDSA fingerprint every time I log into a new server. And, I won't have to turn off StrictHostKeyChecking.
I could delete my current known_hosts file, then ssh into each server one at a time to build an accurate known_hosts file. But that's rather time consuming, and keeping it accurate would be painful.
So, how can I do that with ansible?
Currently I'm researching how fingerprinting actually works in an effort to figure everything out on my own. Any answers to these questions would be greatly appreciated
How does ssh generate the fingerprint?
Why is the fingerprint shown to the user logging in of the form xx:xx:cc....:xx, but the line in the known_hosts file of a form similar to a public key?
Why does ssh ask to confirm the fingerprint again when you use a hostname instead of an ip address, after accepting the fingerprint for the ip address? Both fingerprints are the same.
host ⮀ ssh 192.168.88.4
The authenticity of host '192.168.88.4 (192.168.88.4)' can't be established.
ECDSA key fingerprint is 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.88.4' (ECDSA) to the list of known hosts.
Connection closed by 192.168.88.4
host ⮀ ssh vm.beta.lab
The authenticity of host 'vm.beta.lab (192.168.88.4)' can't be established.
ECDSA key fingerprint is 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
Are you sure you want to continue connecting (yes/no)?
Michael W. Lucas
Aug 15, 2013, 2:38:03 PM8/15/13
to ansible...@googlegroups.com
If you trust your machines in their current state, there's
ssh-keyscan. No ansible needed.
ssh-keygen -lf /etc/ssh/ssh_host_X_key.pub will print the key
fingerprint on the local machine.
Run an ansible job for that command, write it to a file, pull that
file back to you, concatenate. (Although I'm sure there's a more
elegant way to do it.)
==ml
On Thu, Aug 15, 2013 at 11:29:03AM -0700, David Reagan wrote:
> When I ssh into a server for the first time, ssh always asks me if the
> ECDSA key fingerprint is correct. When I say yes, it adds that to my
> ~/.ssh/known_hosts file.
> I'd like to use ansible to create a known_hosts file that accurately
> represents all my servers. Then I can set that in
> /etc/ssh/ssh_known_hosts, and safely tell my servers to ignore each users
> individual known_hosts file. That will let me run ssh operations between
> my servers without having to accept an ECDSA fingerprint every time I log
> into a new server. And, I won't have to turn off StrictHostKeyChecking.
> I could delete my current known_hosts file, then ssh into each server one
> at a time to build an accurate known_hosts file. But that's rather time
> consuming, and keeping it accurate would be painful.
> So, how can I do that with ansible?
> Currently I'm researching how fingerprinting actually works in an effort
> to figure everything out on my own. Any answers to these questions would
> be greatly appreciated
> How does ssh generate the fingerprint?
> Why is the fingerprint shown to the user logging in of the form
> xx:xx:cc....:xx, but the line in the known_hosts file of a form similar to
> a public key?
> Why does ssh ask to confirm the fingerprint again when you use a hostname
> instead of an ip address, after accepting the fingerprint for the ip
> address? Both fingerprints are the same.
> The authenticity of host '192.168.88.4 (192.168.88.4)' can't be
> established.
> ECDSA key fingerprint is 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '192.168.88.4' (ECDSA) to the list of known
> hosts.
> Connection closed by 192.168.88.4
> host *** ssh vm.beta.lab
> established.
> ECDSA key fingerprint is 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '192.168.88.4' (ECDSA) to the list of known
> hosts.
> Connection closed by 192.168.88.4
> The authenticity of host 'vm.beta.lab (192.168.88.4)' can't be
> established.
> ECDSA key fingerprint is 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
> Are you sure you want to continue connecting (yes/no)?
>
> --
> established.
> ECDSA key fingerprint is 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
> Are you sure you want to continue connecting (yes/no)?
>
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit [1]https://groups.google.com/groups/opt_out.
>
> References
>
> Visible links
> 1. https://groups.google.com/groups/opt_out
--
Michael W. Lucas - mwl...@michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Absolute OpenBSD 2/e - http://www.nostarch.com/openbsd2e
coupon code "ILUVMICHAEL" gets you 30% off & helps me.
David Reagan
Aug 15, 2013, 2:56:39 PM8/15/13
to ansible...@googlegroups.com
When I ran ssh-keyscan on my little vagrant cluster, it returned public keys that don't look the same as what's in my known_hosts file.
ssh-keyscan vm.master.lab vm.alpha.lab vm.beta.lab
Can I just copy that output into a known_hosts file and have it work?
Guess I just need to test it. :)
--David Reagan
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/tZMbH2Fi4MA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Michael W. Lucas
Aug 15, 2013, 3:09:09 PM8/15/13
to ansible...@googlegroups.com
It should work. If it doesn't, it's an OpenSSH question... they have
their own mailing list. ;-)
Mind you, I would find a playbook that logged into a host, computer
the key fingerprint locally, and generated a known_hosts file from the
results, very nice. If anyone's looking for a project, this would be a
good one...
==ml
On Thu, Aug 15, 2013 at 11:56:39AM -0700, David Reagan wrote:
> When I ran ssh-keyscan on my little vagrant cluster, it returned public
> ssh-keyscan vm.master.lab vm.alpha.lab vm.beta.lab
> Can I just copy that output into a known_hosts file and have it work?
> Guess I just need to test it. :)
> --David Reagan
>
> On Thu, Aug 15, 2013 at 11:38 AM, Michael W. Lucas
> <[1]mwl...@michaelwlucas.com> wrote:
>
> If you trust your machines in their current state, there's
> ssh-keyscan. No ansible needed.
>
> ssh-keygen -lf /etc/ssh/ssh_host_X_key.pub will print the key
> fingerprint on the local machine.
>
> Run an ansible job for that command, write it to a file, pull that
> file back to you, concatenate. (Although I'm sure there's a more
> elegant way to do it.)
>
> ==ml
>
> On Thu, Aug 15, 2013 at 11:29:03AM -0700, David Reagan wrote:
> > * *When I ssh into a server for the first time, ssh always asks me if
> Can I just copy that output into a known_hosts file and have it work?
> Guess I just need to test it. :)
> --David Reagan
>
> On Thu, Aug 15, 2013 at 11:38 AM, Michael W. Lucas
> <[1]mwl...@michaelwlucas.com> wrote:
>
> If you trust your machines in their current state, there's
> ssh-keyscan. No ansible needed.
>
> ssh-keygen -lf /etc/ssh/ssh_host_X_key.pub will print the key
> fingerprint on the local machine.
>
> Run an ansible job for that command, write it to a file, pull that
> file back to you, concatenate. (Although I'm sure there's a more
> elegant way to do it.)
>
> ==ml
>
> On Thu, Aug 15, 2013 at 11:29:03AM -0700, David Reagan wrote:
> the
> > * *ECDSA key fingerprint is correct. When I say yes, it adds that to
> my
> > * *~/.ssh/known_hosts file.
> > * *I'd like to use ansible to create a known_hosts file that
> accurately
> > * *represents all my servers. Then I can set that in
> > * */etc/ssh/ssh_known_hosts, and safely tell my servers to ignore each
> users
> > * *individual known_hosts file. That will let me run ssh operations
> between
> > * *my servers without having to accept an ECDSA fingerprint every time
> I log
> > * *into a new server. And, I won't have to turn off
> StrictHostKeyChecking.
> > * *I could delete my current known_hosts file, then ssh into each
> server one
> > * *at a time to build an accurate known_hosts file. But that's rather
> time
> > * *consuming, and keeping it accurate would be painful.
> > * *So, how can I do that with ansible?
> > * *Currently I'm researching how fingerprinting actually works in an
> effort
> > * *to figure everything out on my own. Any answers to these questions
> would
> > * *be greatly appreciated
> > * *How does ssh generate the fingerprint?
> > * *Why is the fingerprint shown to the user logging in of the form
> > * *xx:xx:cc....:xx, but the line in the known_hosts file of a form
> similar to
> > * *a public key?
> > * *Why does ssh ask to confirm the fingerprint again when you use a
> hostname
> > * *instead of an ip address, after accepting the fingerprint for the
> ip
> > * *address? Both fingerprints are the same.
> > * *host *** ssh 192.168.88.4
> > * *The authenticity of host '192.168.88.4 (192.168.88.4)' can't be
> > * *established.
> > * *ECDSA key fingerprint is
> 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
> > * *Are you sure you want to continue connecting (yes/no)? yes
> > * *Warning: Permanently added '192.168.88.4' (ECDSA) to the list of
> known
> > * *hosts.
> > * *Connection closed by 192.168.88.4
> > * *host *** ssh vm.beta.lab
> > * *The authenticity of host 'vm.beta.lab (192.168.88.4)' can't be
> > * *established.
> > * *ECDSA key fingerprint is
> 68:06:f9:4e:7a:c5:cf:1d:70:a2:6a:6f:12:eb:d4:55.
> > * *Are you sure you want to continue connecting (yes/no)?
> >
> > * *--
> > * *You received this message because you are subscribed to the Google
> Groups
> > * *"Ansible Project" group.
> > * *To unsubscribe from this group and stop receiving emails from it,
> send an
> > * *email to [2]ansible-proje...@googlegroups.com.
> > * *For more options, visit
> [1][3]https://groups.google.com/groups/opt_out.
> >
> > References
> >
> > * *Visible links
> > * *1. [4]https://groups.google.com/groups/opt_out
> --
> Michael W. Lucas *- *[5]mwl...@michaelwlucas.com, Twitter @mwlauthor
> [6]http://www.MichaelWLucas.com/, [7]http://blather.MichaelWLucas.com/
> Absolute OpenBSD 2/e - [8]http://www.nostarch.com/openbsd2e
> coupon code "ILUVMICHAEL" gets you 30% off & helps me.
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> [9]https://groups.google.com/d/topic/ansible-project/tZMbH2Fi4MA/unsubscribe.
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Ansible Project" group.
> To unsubscribe from this topic, visit
> To unsubscribe from this group and all its topics, send an email to
> [10]ansible-proje...@googlegroups.com.
> For more options, visit [11]https://groups.google.com/groups/opt_out.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit [12]https://groups.google.com/groups/opt_out.
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
>
> References
>
> Visible links
> 1. mailto:mwl...@michaelwlucas.com
> 2. mailto:ansible-project%2Bunsu...@googlegroups.com
> 3. https://groups.google.com/groups/opt_out
> 4. https://groups.google.com/groups/opt_out
> 5. mailto:mwl...@michaelwlucas.com
> 6. http://www.michaelwlucas.com/
> 7. http://blather.michaelwlucas.com/
> 8. http://www.nostarch.com/openbsd2e
> 9. https://groups.google.com/d/topic/ansible-project/tZMbH2Fi4MA/unsubscribe
> 10. mailto:ansible-project%2Bunsu...@googlegroups.com
> 11. https://groups.google.com/groups/opt_out
> 12. https://groups.google.com/groups/opt_out
Jan-Piet Mens
Aug 16, 2013, 2:02:49 AM8/16/13
to ansible...@googlegroups.com
> Mind you, I would find a playbook that logged into a host, computer
> the key fingerprint locally, and generated a known_hosts file from the
> results, very nice. If anyone's looking for a project, this would be a
> good one...
You might be interested in [1]. A bit off-topic, because it's about
> the key fingerprint locally, and generated a known_hosts file from the
> results, very nice. If anyone's looking for a project, this would be a
> good one...
SSHFP in DNS and collecting those fingerprints (and avoiding the whole
known_hosts mess :-), but it may get you started on the right track ;-)
-JP
[1]: http://jpmens.net/2012/11/03/an-action-plugin-for-ansible-to-handle-ssh-host-keys/
David Reagan
Aug 16, 2013, 10:57:54 AM8/16/13
to ansible...@googlegroups.com
@Jan-Piet Mens That looks like a potential way to get the fingerprint via Ansible. I'll have to look into it a bit more than the brief skim I just did. Thanks!
Currently, I made a text file that lists all my nodes and their aliases. Then I used ssh-keyscan to find all the fingerprints. I'm probably going to add updating those files to my workflow when I add or delete a node. Kinda a hassle for it to be mandatory, but unless the article Jan-Piet linked to points out a better, automated way, I think it'll just have to do.
Thanks everyone for your help!
--David Reagan
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/tZMbH2Fi4MA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
phil...@gmail.com
Aug 18, 2013, 10:19:15 AM8/18/13
to ansible...@googlegroups.com
On Friday, August 16, 2013 4:57:54 PM UTC+2, David Reagan wrote:
@Jan-Piet Mens That looks like a potential way to get the fingerprint via Ansible. I'll have to look into it a bit more than the brief skim I just did. Thanks!
Another pretty way of doing it is using SSH certificates. This is a not very well known feature of OpenSSH that enables you to sign all your ssh host keys signed. Once done, you only need one key to authenticate all your present and future servers without the need to maintain any kind of database:
Paul Lam
Oct 1, 2013, 9:42:35 AM10/1/13
to ansible...@googlegroups.com
Is there some config in the playbook that I can add to skip the key fingerprint check entirely so that it doesn't add to my known_hosts file? I'm using ansible with vagrant and don't want the transient vm keys added to my known_hosts. I tried `export ANSIBLE_HOST_KEY_CHECKING=False` but it is still asking me on first connect.
Michael DeHaan
Oct 1, 2013, 10:09:12 AM10/1/13
to ansible...@googlegroups.com
I don't know why it would be asking you but it might be a function of where you decided to do the export (i.e. before running vagrant, etc).
Works fine for me without vagrant anyway.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
Paul Lam
Oct 1, 2013, 10:13:27 AM10/1/13
to ansible...@googlegroups.com
I was setting ansible.inventory_path in Vagrantfile. I removed that and set playbook to use hosts = [hostname of vm box] then it is not asking me anymore. thanks for the quick reply
Reply all
Reply to author
Forward
0 new messages