Traditional approach is to leave it to a human operator and warn him of a new host key.
This way is a no-go for automation and testing, a workaround is to disable host-key checks with ansible_ssh_extra_args: ‘-o StrictHostKeyChecking=no’
like here: https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
It seems to me that a better way would be to auto-add host-key if this is a wholly new host (and maybe check for key uniqueness).
My understanding is that this is a job for a certain Ansible plugin, cause host-key handling is not dependent on specific cloud/provisioning module (digital_ocean_droplet in my case)
So far I couldn’t find any plugin of this sort and kindly ask for pointers.
Traditional approach is to leave it to a human operator and warn him of a
new host key.
This way is a no-go for automation and testing, a workaround is to disable
host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
like here: https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
It seems to me that a better way would be to auto-add host-key if this is a
wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is
StrictHostKeyChecking=accept-new
My understanding is that this is a job for a certain Ansible plugin, cause
host-key handling is not dependent on specific cloud/provisioning module
(digital_ocean_droplet in my case)
So far I couldn't find any plugin of this sort and kindly ask for pointers.
Ansible i relying on ssh and doesn't handle this for the Ansible controller since it have no way of knowing if the host key is valid or not.
To do this in a secure manner you need to inject a know or a sign ssh host key in the instance at creation time.
Traditional approach is to leave it to a human operator and warn him of a
new host key.
This way is a no-go for automation and testing, a workaround is to disable
host-key checks with ansible_ssh_extra_args: ‘-o StrictHostKeyChecking=no’
like here: https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
It seems to me that a better way would be to auto-add host-key if this is a
wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is
StrictHostKeyChecking=accept-new
That’s interesting, I’ll check that.
My understanding is that this is a job for a certain Ansible plugin, cause
host-key handling is not dependent on specific cloud/provisioning module
(digital_ocean_droplet in my case)
So far I couldn’t find any plugin of this sort and kindly ask for pointers.
Ansible i relying on ssh and doesn’t handle this for the Ansible controller since it have no way of knowing if the host key is valid or not.
To do this in a secure manner you need to inject a know or a sign ssh host key in the instance at creation time.
I do not pursuit 100% control of host-key, there’s little point to do so for a public cloud host instance.
Basic sanity check is OK for me and for majority of cloud users I suppose.
Hope I’ll find a way to it using your pointer.
Thanks Kai!
Traditional approach is to leave it to a human operator and warn him of a
new host key.
This way is a no-go for automation and testing, a workaround is to disable
host-key checks with ansible_ssh_extra_args: ‘-o StrictHostKeyChecking=no’
like here: https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53
It seems to me that a better way would be to auto-add host-key if this is a
wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is
StrictHostKeyChecking=accept-new