Various folks did not like the fact that we disabled strict SSH host key checking to more easily enable reprovisioning related use cases. Their concerns are valid, and we should have a way to control this behavior.
In the latest 1.3, Strict checking is now on by default for both paramiko and SSH connection types.
Should you wish to disable this, you can, by either
export ANSIBLE_HOST_KEY_CHECKING=False
or in the config file
[defaults]
host_key_checking=False
I plan to cherry-pick this commit to 1.2 and cut a 1.2.1 containing only this change providing this works for everyone.
I have just pushed some additional code so that paramiko in checking mode will ask whether or not to add the host key to known hosts.
This behavior now corresponds with what you get with OpenSSH, and the message is very similar.
If folks would like to help test (as I’ve also asked IRC) that would be nice, and I hope to cut a 1.2.1 release with just this change tonight.
Feedback welcome.
Just pushed a few more updates related to file closure warnings on Ubuntu.
Please help test, especially the paramiko mode with checking enabled.
Thanks!
It would really nice if it would be possible to control this on the group_var or host_var level, too. So instance for dev environments with vagrant one could just disable host key checking but for production environments it would still work…