Hi,
I wrote an ansible module to manage ssh's known_hosts file. Unlike the
existing module I found by googling, this one is written in python, and
requires the user to supply a public key. It uses ssh-keygen to search
for existing entries, and to remove unwanted entries.
The code is available here:
https://git.csx.cam.ac.uk/x/ucs/u/mcv21/ans_knownhosts.git
Is this something you'd be prepared to consider for inclusion into
ansible's core?
Regards,
Matthew
If you would like it reviewed, a pull request is definitely the way to go.
However, a known_hosts file is going to be rough to manage with Ansible, with thousands of entries, it might need to make thousands of module calls.
I think in most cases it might be better to template the file – or just use the copy module, and as such, I’m probably not interested in including this in the core list.
Hope this makes sense
I would be interested in discussion.
Hi,
If you would like it reviewed, a pull request is definitely the way to go.
https://github.com/ansible/ansible/pull/7840
However, a known_hosts file is going to be rough to manage with Ansible,
with thousands of entries, it might need to make thousands of module calls.I think in most cases it might be better to template the file -- or just
use the copy module, and as such, I'm probably *not* interested in
including this in the core list.Hope this makes sense
I would be interested in discussion.
I would not envisage this being used for known_hosts files with
thousands of entries - in that case, you'd be better off producing host
key certificates and just rolling out a @cert-authority known_hosts
entry, or using SSHFP records.
Our use case is to manage the known_hosts entries for a few key servers
that our target machines need to talk to (e.g. the git server). We also
want to avoid removing known_hosts entries that users have made
themselves (except where we're intentionally pushing out a new key for a
host). Openssh hashes its known_hosts entries, which makes it not
entirely obvious which entries related to which hosts.
It was these considerations (which I don't think are unique to us by any
stretch of the imagination) that lead to this module. It uses ssh-keygen
to aid management of the known_hosts file - to query which hosts are
known about, and to remove relevant entries. This means we can update
(or remove) host keys where necessary, store keys in the known_hosts
file in a way which plays nicely with users, and handle hashed entries
neatly.
Regards,
Matthew
Right more of the question as I know people will try it on large host numbers, it will not work like they expect (i.e. slow to run that many tasks for hundreds of entries) and then they’ll get frustrated…
I’m a little unclear why it should be using ssh-keygen in that module.
Hi,
Right more of the question as I know people will try it on large host
numbers, it will not work like they expect (i.e. slow to run that many
tasks for hundreds of entries) and then they'll get frustrated...
I could adjust the documentation to make this clearer (after all, if you
really don't care about host keys that users install and just want to
blat out your vast 2000-key-containing file, then my known_hosts module
isn't what you want). I do think that the flexibility the known_hosts
module gives you to manage a smaller set of host keys you care about and
might want to update in future is valuable, though.
I'm a little unclear why it should be using ssh-keygen in that module.
ssh-keygen needs renaming, but I think that ship has sailed. It's the
tool openssh provide for searching for (and deleting) entries in the
known_hosts file. It seems better to use that (which handles
cert-authority, revoked, hashed and unhashed entries) than re-invent the
host_keys parsing wheel. The sshd manpage doesn't document the hashing
procedure, so I suspect upstream reserve the right to change it in
future; using ssh-keygen means we don't have to care about it.
Regards,
Matthew
Hi again,
I updated my pull request at
https://github.com/ansible/ansible/pull/7840
There's a couple of code fixes (handle the case where the trailing
newline has been lost, also cope with a missing known_hosts file), and
I've updated the documentation to note that the template module is the
way to go if you wanted to manage thousands of host keys.
You'll have seen the ansible vs salt article that did the rounds; one of
the things the author complains about is a lack of known_hosts module
for ansible. Here, as they say, is one I made earlier 
Regards,
Matthew
Thanks, it’s in queue.
Let’s not bring up that article
Hi,