I saw that Ansible uses the “AutoAddPolicy” for missing host keys, which is nice if you have a lot of new hosts, but I’m a bit worried about what exactly paramiko does in this mode and the implications thereof. It sounds like it’s just adding unknown new host keys but would not ignore changed host keys for hosts that are already known. But I wanted to make sure…
So as a test, I modified a host key in my .ssh/known_hosts file, after which I’m (as expected) not able to connect to that host via openssh anymore. Ansible, however, doesn’t care and an Ansible push to that hosts continues to work. So I guess that Ansible (or paramiko, that is) saves host keys in some other location (does it?), but couldn’t find out where. Or doesn’t it save any new host keys at all (which would be a big security issue if it always happily connects with unknown hosts)?
I’m ok with adding unknown host keys, we can just let them be added by an Ansible push right after deployment, to make sure the connection is not compromised. But a changed host key should be reported and connection should not be established…
To be fair, I didn’t test changing the host key on the remote host itself to see if that leads to the expected error… that’s currently not possible for me.