文档章节

ansible-ssh-prompt-known-hosts-issue

z
 zzimac
发布于 2017/09/09 21:30
字数 534
阅读 14
收藏 0
点赞 0
评论 0

How can I suppress the prompt what SSH gives while making ssh known_hosts entry for the first time for a given user (~/.ssh folder, file known_hosts)?

 

Solution 1

Ansible 1.2.1 and later have host key checking enabled by default.

If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a host is not initially in ‘known_hosts’ this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.

If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:

[defaults]
host_key_checking = False

 Alternatively this can be set by an environment variable:

$ export ANSIBLE_HOST_KEY_CHECKING=False

 

Solution 2

Disabling host key checking entirely is a bad idea from a security perspective, since it opens you up to man-in-the-middle attacks.

If you can assume the current network isn't compromised (that is, when you ssh to the machine for the first time and are presented a key, that key is in fact of the machine and not an attacker's), then you can use ssh-keyscan and the shell module to add the new servers' keys to your known hosts file:

- name: accept new ssh fingerprints
  shell: ssh-keyscan -H {{ item.public_ip }} >> ~/.ssh/known_hosts
  with_items: ec2.instances

 

Solution 3

To update local known_hosts file, I ended up using a combination of ssh-keyscan (with dig to resolve a hostname to IP address) and ansible module known_hosts as follows: (filename ssh-known_hosts.yml)

- name: Store known hosts of 'all' the hosts in the inventory file
  hosts: localhost
  connection: local

  vars:
    ssh_known_hosts_command: "ssh-keyscan -T 10"
    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
    ssh_known_hosts: "{{ groups['all'] }}"

  tasks:

  - name: For each host, scan for its ssh public key
    shell: "ssh-keyscan {{ item }},`dig +short {{ item }}`"
    with_items: "{{ ssh_known_hosts }}"
    register: ssh_known_host_results
    ignore_errors: yes

  - name: Add/update the public key in the '{{ ssh_known_hosts_file }}'
    known_hosts:
      name: "{{ item.item }}"
      key: "{{ item.stdout }}"
      path: "{{ ssh_known_hosts_file }}"
    with_items: "{{ ssh_known_host_results.results }}"

To execute such yml, do

ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook path/to/the/yml/above/ssh-known_hosts.yml

As a result, for each host in the inventory, all supported algorithms will be added/updated in the known_hosts file under hostname,ipaddress pair record; such as

atlanta1.my.com,10.0.5.2 ecdsa-sha2-nistp256 AAAAEjZHN ... NobYTIGgtbdv3K+w=
atlanta1.my.com,10.0.5.2 ssh-rsa AAAAB3NaC1y ... JTyWisGpFeRB+VTKQ7
atlanta1.my.com,10.0.5.2 ssh-ed25519 AAAAC3NaCZD ... UteryYr
denver8.my.com,10.2.13.3 ssh-rsa AAAAB3NFC2 ... 3tGDQDSfJD
...

(Provided the inventory file looks like:

[master]
atlanta1.my.com
atlanta2.my.com

[slave]
denver1.my.com
denver8.my.com

)

As opposed to the Xiong's answer, this would properly handle the content of the known_hosts file.

This play is especially helpful if using virtualized environment where the target hosts get re-imaged (thus the ssh pub keys get changed).

 

Solution 4

http://docs.ansible.com/ansible/latest/known_hosts_module.html

Synopsis

  • The known_hosts module lets you add or remove a host keys from the known_hosts file.
  • Starting at Ansible 2.2, multiple entries per host are allowed, but only one for each key type supported by ssh. This is useful if you’re going to want to use the git module over ssh, for example.
  • If you have a very large number of host keys to manage, you will find the template module more useful.

本文转载自:https://stackoverflow.com/questions/30226113/ansible-ssh-prompt-known-hosts-issue

共有 人打赏支持
z
粉丝 3
博文 65
码字总数 11025
作品 0
ansible不配ssh连接,用户密码登录

ansible 不配ssh免密链接,直接用ssh用户密码连接,要先装sshpass。 sshpass下载地址:http://sourceforge.net/projects/sshpass/ 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安...

庆沉 ⋅ 02/23 ⋅ 0

ansible首次ssh报错

在使用ansible时,遇到下面的报错 原因是此主机之前没有ssh连接过,在本机的~/.ssh/knownhosts文件中没有fingerprint key串,ssh第一次连接的时候一般会提示输入yes 进行确认为将key字符串加...

金琥 ⋅ 2017/09/17 ⋅ 0

Ansible 1.9.0 发布,计算机系统配置管理

Ansible 1.9.0 发布,引入了一些新的功能和模块,如 PBRun 认证支持,能够更快的加载 YAML。 具体更新内容如下: Improved ssh connection error reporting, now you get back the specific...

oschina ⋅ 2015/04/07 ⋅ 3

ansible配置文件ansible.cfg详解

Ansible 配置是以ini格式存储数据的,在Ansible中,几乎所有配置都可以通过Ansible的Playbook或环境变量来重新赋值。在运行Ansible命令时,命令将会按照预先设定的顺序查找配置文件 1)ANSIB...

Allen_Jol ⋅ 03/25 ⋅ 0

Ansible 三(公钥认证)

Ansible 三(公钥认证) 如果有个主机重装系统,并在“known_hosts”中有了不同的key,会一直提示知道改正为止; 如果想禁用此项行为,可以编辑/etc/ansible/ansible.cfg 把hostkeychecking...

506554897 ⋅ 2017/08/09 ⋅ 0

ansible(续一)

安装本地软件包 [root@ms.dtedu.com~]$ansible all -m yum -a "name=/root/ipvsadm-DR.rpm state=installed " 1.10 user模块 创建和管理用户,其实使用command模块同样可以达到同样的效果。 ...

blackstome ⋅ 2017/09/26 ⋅ 0

Ansible 运维自动化 ( 配置管理工具 )

简介: 当下有许多的运维自动化工具( 配置管理 ),例如:Ansible、SaltStack、Puppet、Fabric 等。 Ansible 一种集成 IT 系统的配置管理、应用部署、执行特定任务的开源平台,是 AnsibleWor...

流浪的猫666 ⋅ 06/18 ⋅ 0

Ansible之playbook自动完成硬盘分区,格式化,挂盘,并远程创建用户

前言 对于刚刚拿到拿到的新机器,唯一的可用信息有,IP地址,服务器登陆用户名和密码。 一般情况,root用户是不能直接登陆,只能通过普通用户跳转。 特别是最近工作中遇到的腾讯云服务器,申...

HelloEric ⋅ 2015/11/05 ⋅ 0

ansible hosts文件详解

ansible hosts文件详解 # This is the default ansible 'hosts' file. # # It should live in /etc/ansible/hosts # # - Comments begin with the '#' character # - Blank lines are ignor......

kan1one ⋅ 2017/07/18 ⋅ 0

ansible hosts文件详解

# This is the default ansible 'hosts' file. # # It should live in /etc/ansible/hosts # # - Comments begin with the '#' character # - Blank lines are ignored # - Groups of hosts ......

kan1one ⋅ 2017/07/18 ⋅ 0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

常见数据结构(二)-树(二叉树,红黑树,B树)

本文介绍数据结构中几种常见的树:二分查找树,2-3树,红黑树,B树 写在前面 本文所有图片均截图自coursera上普林斯顿的课程《Algorithms, Part I》中的Slides 相关命题的证明可参考《算法(第...

浮躁的码农 ⋅ 昨天 ⋅ 0

android -------- 混淆打包报错 (warning - InnerClass ...)

最近做Android混淆打包遇到一些问题,Android Sdutio 3.1 版本打包的 错误如下: Android studio warning - InnerClass annotations are missing corresponding EnclosingMember annotation......

切切歆语 ⋅ 昨天 ⋅ 0

eclipse酷炫大法之设置主题、皮肤

eclipse酷炫大法 目前两款不错的eclipse 1.系统设置 Window->Preferences->General->Appearance 2.Eclipse Marketplace下载【推荐】 Help->Eclipse Marketplace->搜索‘theme’进行安装 比如......

anlve ⋅ 昨天 ⋅ 0

vim编辑模式、vim命令模式、vim实践

vim编辑模式 编辑模式用来输入或修改文本内容,编辑模式除了Esc外其他键几乎都是输入 如何进入编辑模式 一般模式输入以下按键,均可进入编辑模式,左下角提示 insert(中文为插入) 字样 i ...

蛋黄Yolks ⋅ 昨天 ⋅ 0

大数据入门基础:SSH介绍

什么是ssh 简单说,SSH是一种网络协议,用于计算机之间的加密登录。 如果一个用户从本地计算机,使用SSH协议登录另一台远程计算机,我们就可以认为,这种登录是安全的,即使被中途截获,密码...

董黎明 ⋅ 昨天 ⋅ 0

web3j教程

web3j是一个轻量级、高度模块化、响应式、类型安全的Java和Android类库提供丰富API,用于处理以太坊智能合约及与以太坊网络上的客户端(节点)进行集成。 汇智网最新发布的web3j教程,详细讲解...

汇智网教程 ⋅ 昨天 ⋅ 0

谷歌:安全问题机制并不如你想象中安全

腾讯科技讯 5月25日,如今的你或许已经对许多网站所使用的“安全问题机制”习以为常了,但你真的认为包括“你第一个宠物的名字是什么?”这些问题能够保障你的帐户安全吗? 根据谷歌(微博)安...

问题终结者 ⋅ 昨天 ⋅ 0

聊聊spring cloud gateway的RedisRateLimiter

序 本文主要研究下spring cloud gateway的RedisRateLimiter GatewayRedisAutoConfiguration spring-cloud-gateway-core-2.0.0.RELEASE-sources.jar!/org/springframework/cloud/gateway/con......

go4it ⋅ 昨天 ⋅ 0

169. Majority Element - LeetCode

Question 169. Majority Element Solution 思路:构造一个map存储每个数字出现的次数,然后遍历map返回出现次数大于数组一半的数字. 还有一种思路是:对这个数组排序,次数超过n/2的元素必然在中...

yysue ⋅ 昨天 ⋅ 0

NFS

14.1 NFS介绍 NFS是Network File System的缩写 NFS最早由Sun公司开发,分2,3,4三个版本,2和3由Sun起草开发,4.0开始Netapp公司参与并主导开发,最新为4.1版本 NFS数据传输基于RPC协议,RPC...

派派菠菜 ⋅ 昨天 ⋅ 0

没有更多内容

加载失败,请刷新页面

加载更多

下一页

返回顶部
顶部