Is it possible to set ANSIBLE_HOST_KEY_CHECKING on a per host or host group basis? This would help prevent my known_hosts file from becoming cluttered with test boxes but still ensure when I talk to production hosts I can verify their identity.
You can do a ssh-keyscan and generate the production servers and make it into a known_hosts file, this will remove all your tests servers and keep production in there. Something like:
ssh-keyscan -t rsa -H "<servername>,<servername2>,<servername3>" > ~/.ssh/known_hosts
Don’t know if its what you want, but its an option… ;p
Good to know, but not quite what I’m looking for.
You could perhaps achieve this with a crafted ssh_config. Especially if your hosts are named predictably.
Consider if your production hosts have names in the form [host5.prod.domain.net](http://host5.prod.domain.net) and other environments are different such as [host3.stage.domain.net](http://host3.stage.domain.net)
A corresponding ssh_config might be (note that first option match wins):
Host *.[prod.domain.net](http://prod.domain.net)
StrictHostKeyChecking yes
Host *.[domain.net](http://domain.net)
StrictHostKeyChecking no
Hope this helps
you can set asnbile_ssh_args per group/host
Does this override any ssh_args setting I have in ansible.cfg?
Adding ansible_ssh_args=‘-o StrictHostKeyChecking=no’ after the host in the inventory file didn’t seem to do anything.
Also it seem like in general using StrictHostKeyChecking still adds the key to knownhosts, it just doesn’t ask first.
Can you really set ansible_ssh_args per group/host? I remember trying
it a while ago and it didn't work. And it's not mentioned here:
http://docs.ansible.com/intro_inventory.html#list-of-behavioral-inventory-parameters
I'll admit I haven't tried it in a while, but can someone confirm that
it actually works?
nevermind that was a PR that i was using but not accepted