文档章节

ansible-ssh-prompt-known-hosts-issue

z
 zzimac
发布于 2017/09/09 21:30
字数 534
阅读 28
收藏 0

How can I suppress the prompt what SSH gives while making ssh known_hosts entry for the first time for a given user (~/.ssh folder, file known_hosts)?

 

Solution 1

Ansible 1.2.1 and later have host key checking enabled by default.

If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a host is not initially in ‘known_hosts’ this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.

If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:

[defaults]
host_key_checking = False

 Alternatively this can be set by an environment variable:

$ export ANSIBLE_HOST_KEY_CHECKING=False

 

Solution 2

Disabling host key checking entirely is a bad idea from a security perspective, since it opens you up to man-in-the-middle attacks.

If you can assume the current network isn't compromised (that is, when you ssh to the machine for the first time and are presented a key, that key is in fact of the machine and not an attacker's), then you can use ssh-keyscan and the shell module to add the new servers' keys to your known hosts file:

- name: accept new ssh fingerprints
  shell: ssh-keyscan -H {{ item.public_ip }} >> ~/.ssh/known_hosts
  with_items: ec2.instances

 

Solution 3

To update local known_hosts file, I ended up using a combination of ssh-keyscan (with dig to resolve a hostname to IP address) and ansible module known_hosts as follows: (filename ssh-known_hosts.yml)

- name: Store known hosts of 'all' the hosts in the inventory file
  hosts: localhost
  connection: local

  vars:
    ssh_known_hosts_command: "ssh-keyscan -T 10"
    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
    ssh_known_hosts: "{{ groups['all'] }}"

  tasks:

  - name: For each host, scan for its ssh public key
    shell: "ssh-keyscan {{ item }},`dig +short {{ item }}`"
    with_items: "{{ ssh_known_hosts }}"
    register: ssh_known_host_results
    ignore_errors: yes

  - name: Add/update the public key in the '{{ ssh_known_hosts_file }}'
    known_hosts:
      name: "{{ item.item }}"
      key: "{{ item.stdout }}"
      path: "{{ ssh_known_hosts_file }}"
    with_items: "{{ ssh_known_host_results.results }}"

To execute such yml, do

ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook path/to/the/yml/above/ssh-known_hosts.yml

As a result, for each host in the inventory, all supported algorithms will be added/updated in the known_hosts file under hostname,ipaddress pair record; such as

atlanta1.my.com,10.0.5.2 ecdsa-sha2-nistp256 AAAAEjZHN ... NobYTIGgtbdv3K+w=
atlanta1.my.com,10.0.5.2 ssh-rsa AAAAB3NaC1y ... JTyWisGpFeRB+VTKQ7
atlanta1.my.com,10.0.5.2 ssh-ed25519 AAAAC3NaCZD ... UteryYr
denver8.my.com,10.2.13.3 ssh-rsa AAAAB3NFC2 ... 3tGDQDSfJD
...

(Provided the inventory file looks like:

[master]
atlanta1.my.com
atlanta2.my.com

[slave]
denver1.my.com
denver8.my.com

)

As opposed to the Xiong's answer, this would properly handle the content of the known_hosts file.

This play is especially helpful if using virtualized environment where the target hosts get re-imaged (thus the ssh pub keys get changed).

 

Solution 4

http://docs.ansible.com/ansible/latest/known_hosts_module.html

Synopsis

  • The known_hosts module lets you add or remove a host keys from the known_hosts file.
  • Starting at Ansible 2.2, multiple entries per host are allowed, but only one for each key type supported by ssh. This is useful if you’re going to want to use the git module over ssh, for example.
  • If you have a very large number of host keys to manage, you will find the template module more useful.

本文转载自:https://stackoverflow.com/questions/30226113/ansible-ssh-prompt-known-hosts-issue

共有 人打赏支持
z
粉丝 3
博文 73
码字总数 14301
作品 0
武汉
ansible不配ssh连接,用户密码登录

ansible 不配ssh免密链接,直接用ssh用户密码连接,要先装sshpass。 sshpass下载地址:http://sourceforge.net/projects/sshpass/ 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安...

庆沉
02/23
0
0
ansible首次ssh报错

在使用ansible时,遇到下面的报错 原因是此主机之前没有ssh连接过,在本机的~/.ssh/knownhosts文件中没有fingerprint key串,ssh第一次连接的时候一般会提示输入yes 进行确认为将key字符串加...

金琥
2017/09/17
0
0
ansible不配置ssh免密钥,使用密码登录

参考文档: https://my.oschina.net/u/1433006/blog/1622893 1.安装sshpass 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安装成功 #sshpass /etc/ansible/hosts文件中添加用户密码...

wjw555
07/18
0
0
Ansible 1.9.0 发布,计算机系统配置管理

Ansible 1.9.0 发布,引入了一些新的功能和模块,如 PBRun 认证支持,能够更快的加载 YAML。 具体更新内容如下: Improved ssh connection error reporting, now you get back the specific...

oschina
2015/04/07
1K
3
ansible免手工输入yes和快速部署公钥

新搭的机器,达到百以上级别的机器,怎么实现批量化管理呢?第一步当然快速部署公钥,实现免密码登陆 演示一下比较烦的情况: ssh 127.0.0.1得输入yes,然后再输入密码才能登录 cat .ssh/kno...

会说话的鱼
06/28
0
0

没有更多内容

加载失败,请刷新页面

加载更多

兄弟连区块链入门教程eth源码分析core-vm源码分析(二)

  兄弟连区块链入门教程eth源码分析core-vm源码分析(二),合约创建 Create 会创建一个新的合约。        // Create creates a new contract using code as deployment cod...

兄弟连区块链入门教程
16分钟前
3
0
python打造特别火的一个小游戏,16行代码实现3D撞球小游戏!

以下是制作上面炫酷动画所需的全部代码: 我们需要三组刚体(当您在Blender的对象上打开一个刚体的属性时,Blender将模拟与其它刚体的碰撞): 1.平面 第2行代码创建了一个简单的平面,立方体...

糖宝lsh
18分钟前
1
0
SQL语言分类

SQL(Structure Query Language)语言是数据库的核心语言。 SQL语言共分为四大类: 数据定义语言DDL,数据操纵语言DML,数据查询语言DQL,数据控制语言DCL。 数据定义语言DDL 数据定义语言DDL...

阿dai
21分钟前
1
0
UICollectionView的headerView、footerView使用以及与UITableView加载headerView、footerView的区别

前序 最近在一家公司实习,学习一些ios的知识。因为以前没有使用过UICollectionView,所以带我的导师让我仿照公司APP中的一个UICollectionView自己做一个练练手。期间遇到了一些问题:我们知...

壹峰
23分钟前
2
0
IMP-00017: following statement failed with ORACLE error 20005:

/*报错信息Export file created by EXPORT:V11.02.00 via conventional pathimport done in AL32UTF8 character set and AL16UTF16 NCHAR character setexport client uses ZHS16GBK char......

fengzhi714
26分钟前
1
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部