文档章节

ansible-ssh-prompt-known-hosts-issue

z
 zzimac
发布于 2017/09/09 21:30
字数 534
阅读 19
收藏 0

How can I suppress the prompt what SSH gives while making ssh known_hosts entry for the first time for a given user (~/.ssh folder, file known_hosts)?

 

Solution 1

Ansible 1.2.1 and later have host key checking enabled by default.

If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a host is not initially in ‘known_hosts’ this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.

If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:

[defaults]
host_key_checking = False

 Alternatively this can be set by an environment variable:

$ export ANSIBLE_HOST_KEY_CHECKING=False

 

Solution 2

Disabling host key checking entirely is a bad idea from a security perspective, since it opens you up to man-in-the-middle attacks.

If you can assume the current network isn't compromised (that is, when you ssh to the machine for the first time and are presented a key, that key is in fact of the machine and not an attacker's), then you can use ssh-keyscan and the shell module to add the new servers' keys to your known hosts file:

- name: accept new ssh fingerprints
  shell: ssh-keyscan -H {{ item.public_ip }} >> ~/.ssh/known_hosts
  with_items: ec2.instances

 

Solution 3

To update local known_hosts file, I ended up using a combination of ssh-keyscan (with dig to resolve a hostname to IP address) and ansible module known_hosts as follows: (filename ssh-known_hosts.yml)

- name: Store known hosts of 'all' the hosts in the inventory file
  hosts: localhost
  connection: local

  vars:
    ssh_known_hosts_command: "ssh-keyscan -T 10"
    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
    ssh_known_hosts: "{{ groups['all'] }}"

  tasks:

  - name: For each host, scan for its ssh public key
    shell: "ssh-keyscan {{ item }},`dig +short {{ item }}`"
    with_items: "{{ ssh_known_hosts }}"
    register: ssh_known_host_results
    ignore_errors: yes

  - name: Add/update the public key in the '{{ ssh_known_hosts_file }}'
    known_hosts:
      name: "{{ item.item }}"
      key: "{{ item.stdout }}"
      path: "{{ ssh_known_hosts_file }}"
    with_items: "{{ ssh_known_host_results.results }}"

To execute such yml, do

ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook path/to/the/yml/above/ssh-known_hosts.yml

As a result, for each host in the inventory, all supported algorithms will be added/updated in the known_hosts file under hostname,ipaddress pair record; such as

atlanta1.my.com,10.0.5.2 ecdsa-sha2-nistp256 AAAAEjZHN ... NobYTIGgtbdv3K+w=
atlanta1.my.com,10.0.5.2 ssh-rsa AAAAB3NaC1y ... JTyWisGpFeRB+VTKQ7
atlanta1.my.com,10.0.5.2 ssh-ed25519 AAAAC3NaCZD ... UteryYr
denver8.my.com,10.2.13.3 ssh-rsa AAAAB3NFC2 ... 3tGDQDSfJD
...

(Provided the inventory file looks like:

[master]
atlanta1.my.com
atlanta2.my.com

[slave]
denver1.my.com
denver8.my.com

)

As opposed to the Xiong's answer, this would properly handle the content of the known_hosts file.

This play is especially helpful if using virtualized environment where the target hosts get re-imaged (thus the ssh pub keys get changed).

 

Solution 4

http://docs.ansible.com/ansible/latest/known_hosts_module.html

Synopsis

  • The known_hosts module lets you add or remove a host keys from the known_hosts file.
  • Starting at Ansible 2.2, multiple entries per host are allowed, but only one for each key type supported by ssh. This is useful if you’re going to want to use the git module over ssh, for example.
  • If you have a very large number of host keys to manage, you will find the template module more useful.

本文转载自:https://stackoverflow.com/questions/30226113/ansible-ssh-prompt-known-hosts-issue

共有 人打赏支持
z
粉丝 3
博文 70
码字总数 12493
作品 0
ansible不配ssh连接,用户密码登录

ansible 不配ssh免密链接,直接用ssh用户密码连接,要先装sshpass。 sshpass下载地址:http://sourceforge.net/projects/sshpass/ 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安...

庆沉
02/23
0
0
ansible不配置ssh免密钥,使用密码登录

参考文档: https://my.oschina.net/u/1433006/blog/1622893 1.安装sshpass 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安装成功 #sshpass /etc/ansible/hosts文件中添加用户密码...

wjw555
07/18
0
0
ansible首次ssh报错

在使用ansible时,遇到下面的报错 原因是此主机之前没有ssh连接过,在本机的~/.ssh/knownhosts文件中没有fingerprint key串,ssh第一次连接的时候一般会提示输入yes 进行确认为将key字符串加...

金琥
2017/09/17
0
0
Ansible 1.9.0 发布,计算机系统配置管理

Ansible 1.9.0 发布,引入了一些新的功能和模块,如 PBRun 认证支持,能够更快的加载 YAML。 具体更新内容如下: Improved ssh connection error reporting, now you get back the specific...

oschina
2015/04/07
1K
3
ansible免手工输入yes和快速部署公钥

新搭的机器,达到百以上级别的机器,怎么实现批量化管理呢?第一步当然快速部署公钥,实现免密码登陆 演示一下比较烦的情况: ssh 127.0.0.1得输入yes,然后再输入密码才能登录 cat .ssh/kno...

会说话的鱼
06/28
0
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

谷歌 Fuchsia 上手体验,将取代Android/win10

在手机市场领域,Google表现很抢眼,毫无疑问,Android 至今在移动操作系统的市场份额占据绝对领先地位,但是 Android 仍然存在不少问题,碎片化问题严重,在平板以及大屏幕设备上表现糟糕,...

linux-tao
14分钟前
1
0
List、Array与ArrayList

数组在内存中是连续存储的,所以它的索引速度很快,而且赋值和修改元素也非常快,比如: string[] s=new string[3];//赋值 s[0]="a"; s[1]="b"; s[2]="c";//修改 s[1]="b1"; 但是数组...

shimmerkaiye
17分钟前
0
0
Linux 的Lnmp环境下为mysql添加环境变量

一.问题 在Linux 安装完Lnmp 环境后 , 连接Mysql 告诉没有这条命令 mysql -uroot -p 命令失效 因为是源码安装的,所以会出现这样的的原因 。集成环境是不会出现的。 其实很简单,只需要给m...

15834278076
19分钟前
2
0
apolloxlua include函数

include函数不是单独使用的函数, 他并不是标准库的一部分, 你可以使用include函数将某个后缀为 .aop的文档包含到你的文档流中。 因为include是单独处理流, 所以不会在主处理流程中有所表示...

钟元OSS
23分钟前
0
0
【转载分享】做一名较真的工程师

近些年与我共事过的同事,一定知道我至今仍有一个较真的性格。我会:指出同事所写代码的不当命名问题(并帮助改进);指出同事所写文档中的逻辑混乱问题(并辅以修订);指出同事所写PPT中乱...

HellerZhang
24分钟前
2
0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

返回顶部
顶部