文档章节

ansible-ssh-prompt-known-hosts-issue

z
 zzimac
发布于 2017/09/09 21:30
字数 534
阅读 33
收藏 0

How can I suppress the prompt what SSH gives while making ssh known_hosts entry for the first time for a given user (~/.ssh folder, file known_hosts)?

 

Solution 1

Ansible 1.2.1 and later have host key checking enabled by default.

If a host is reinstalled and has a different key in ‘known_hosts’, this will result in an error message until corrected. If a host is not initially in ‘known_hosts’ this will result in prompting for confirmation of the key, which results in an interactive experience if using Ansible, from say, cron. You might not want this.

If you understand the implications and wish to disable this behavior, you can do so by editing /etc/ansible/ansible.cfg or ~/.ansible.cfg:

[defaults]
host_key_checking = False

 Alternatively this can be set by an environment variable:

$ export ANSIBLE_HOST_KEY_CHECKING=False

 

Solution 2

Disabling host key checking entirely is a bad idea from a security perspective, since it opens you up to man-in-the-middle attacks.

If you can assume the current network isn't compromised (that is, when you ssh to the machine for the first time and are presented a key, that key is in fact of the machine and not an attacker's), then you can use ssh-keyscan and the shell module to add the new servers' keys to your known hosts file:

- name: accept new ssh fingerprints
  shell: ssh-keyscan -H {{ item.public_ip }} >> ~/.ssh/known_hosts
  with_items: ec2.instances

 

Solution 3

To update local known_hosts file, I ended up using a combination of ssh-keyscan (with dig to resolve a hostname to IP address) and ansible module known_hosts as follows: (filename ssh-known_hosts.yml)

- name: Store known hosts of 'all' the hosts in the inventory file
  hosts: localhost
  connection: local

  vars:
    ssh_known_hosts_command: "ssh-keyscan -T 10"
    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
    ssh_known_hosts: "{{ groups['all'] }}"

  tasks:

  - name: For each host, scan for its ssh public key
    shell: "ssh-keyscan {{ item }},`dig +short {{ item }}`"
    with_items: "{{ ssh_known_hosts }}"
    register: ssh_known_host_results
    ignore_errors: yes

  - name: Add/update the public key in the '{{ ssh_known_hosts_file }}'
    known_hosts:
      name: "{{ item.item }}"
      key: "{{ item.stdout }}"
      path: "{{ ssh_known_hosts_file }}"
    with_items: "{{ ssh_known_host_results.results }}"

To execute such yml, do

ANSIBLE_HOST_KEY_CHECKING=false ansible-playbook path/to/the/yml/above/ssh-known_hosts.yml

As a result, for each host in the inventory, all supported algorithms will be added/updated in the known_hosts file under hostname,ipaddress pair record; such as

atlanta1.my.com,10.0.5.2 ecdsa-sha2-nistp256 AAAAEjZHN ... NobYTIGgtbdv3K+w=
atlanta1.my.com,10.0.5.2 ssh-rsa AAAAB3NaC1y ... JTyWisGpFeRB+VTKQ7
atlanta1.my.com,10.0.5.2 ssh-ed25519 AAAAC3NaCZD ... UteryYr
denver8.my.com,10.2.13.3 ssh-rsa AAAAB3NFC2 ... 3tGDQDSfJD
...

(Provided the inventory file looks like:

[master]
atlanta1.my.com
atlanta2.my.com

[slave]
denver1.my.com
denver8.my.com

)

As opposed to the Xiong's answer, this would properly handle the content of the known_hosts file.

This play is especially helpful if using virtualized environment where the target hosts get re-imaged (thus the ssh pub keys get changed).

 

Solution 4

http://docs.ansible.com/ansible/latest/known_hosts_module.html

Synopsis

  • The known_hosts module lets you add or remove a host keys from the known_hosts file.
  • Starting at Ansible 2.2, multiple entries per host are allowed, but only one for each key type supported by ssh. This is useful if you’re going to want to use the git module over ssh, for example.
  • If you have a very large number of host keys to manage, you will find the template module more useful.

本文转载自:https://stackoverflow.com/questions/30226113/ansible-ssh-prompt-known-hosts-issue

共有 人打赏支持
z
粉丝 3
博文 76
码字总数 16230
作品 0
武汉
私信 提问
ansible不配ssh连接,用户密码登录

ansible 不配ssh免密链接,直接用ssh用户密码连接,要先装sshpass。 sshpass下载地址:http://sourceforge.net/projects/sshpass/ 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安...

庆沉
2018/02/23
0
0
ansible首次ssh报错

在使用ansible时,遇到下面的报错 原因是此主机之前没有ssh连接过,在本机的~/.ssh/knownhosts文件中没有fingerprint key串,ssh第一次连接的时候一般会提示输入yes 进行确认为将key字符串加...

金琥
2017/09/17
0
0
ansible不配置ssh免密钥,使用密码登录

参考文档: https://my.oschina.net/u/1433006/blog/1622893 1.安装sshpass 运行下列命令安装: 安装完成后输入sshpass出现如下提示即安装成功 #sshpass /etc/ansible/hosts文件中添加用户密码...

wjw555
2018/07/18
0
0
Ansible权威指南笔记(粗略)

# 在托管节点上安装 python 解释器 ansible myhost --sudo -m raw -a "yum install -y python2 python-simplejson" # 各个平台上安装 ansible http://www.ansible.com.cn/docs/intro_install......

sktj
2018/01/10
0
0
Ansible 1.9.0 发布,计算机系统配置管理

Ansible 1.9.0 发布,引入了一些新的功能和模块,如 PBRun 认证支持,能够更快的加载 YAML。 具体更新内容如下: Improved ssh connection error reporting, now you get back the specific...

oschina
2015/04/07
1K
3

没有更多内容

加载失败,请刷新页面

加载更多

OSChina 周三乱弹 —— 孤独到都和病毒发生了感情了

Osc乱弹歌单(2019)请戳(这里) 【今日歌曲】 @-冰冰棒- :#今日歌曲推荐# 逃跑计划《一万次悲伤 (Live)》 《一万次悲伤 (Live)》- 逃跑计划 手机党少年们想听歌,请使劲儿戳(这里) 现在...

小小编辑
今天
173
9
test

//// main.c// Test//// Created by 吕颖 on 2019/1/16.// Copyright © 2019年 carmen. All rights reserved.//#include <stdio.h>#include <stdlib.h>#include <t......

carmen-ly
今天
3
0
Android webview热门组件agentweb:4.0.2无法自适应的问题

Android webview热门组件agentweb:4.0.2无法自适应的问题 //设置自适应屏幕,两者合用mAgentWeb.getAgentWebSettings().getWebSettings().setUseWideViewPort(true); //将图片调整到适合w...

Gemini-Lin
今天
5
0
如何维护一个自己的 golang doc 服务

本文内容是如何维护一个golang 在线的doc 服务。 1 什么是godoc ? godoc 是 golang 官方提供的文档生成工具, 2 为什么要有godoc ? 我们经常遇到一个问题,就是代码和文档不一致,线上代码版...

鼎铭
今天
5
0
js中的对象创建的模式以及继承模式

对象创建模式: 工厂模式 构造函数模式 原型模式 继承模式 原型式继承 寄生式继承 构造函数 原型式和构造函数的组合式(缺点:运行两次超类类函数,积累函数的属性被挂载在原型对象上和实例对...

莫西摩西
昨天
3
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部