mitogen icon indicating copy to clipboard operation
mitogen copied to clipboard

Published 20 hours ago verified publisher icon mitogen-hq

Support StrictHostKeyChecking=accept-new

Open sgrimm opened this issue 5 years ago • 5 comments
trafficstars

Using Ansible 2.9.14 with Mitogen 0.2.9.

Bootstrapping new hosts in Ansible is kind of a pain to do well with Mitogen because a new host, by definition, has an unknown host key. You end up having to explicitly add entries to the known_hosts file out of band, either by logging into the servers manually or by running ssh-keyscan.

With the regular ssh connector and a non-ancient OpenSSH client, you can specify ansible_ssh_common_args: '-o StrictHostKeyChecking=accept-new and it will do strict key checking for existing hosts but automatically add entries to known_hosts as hosts are encountered for the first time.

However, there's no way to get this to work with Mitogen because it always adds its own -o StrictHostKeyChecking option to the ssh command line before it appends Ansible-configured ssh arguments, and the ssh client uses the first option value it finds.

It'd be great to either directly support the accept-new host key checking style, or provide a way to supply a set of ssh arguments that are inserted before the Mitogen-generated ones.

sgrimm avatar Oct 30 '20 21:10 sgrimm

👍 this would be cool to add.

        if not self._requires_pty():
            bits += ['-o', 'BatchMode yes']
        if self.options.check_host_keys == 'enforce':
            bits += ['-o', 'StrictHostKeyChecking yes']
        if self.options.check_host_keys == 'accept':
            bits += ['-o', 'StrictHostKeyChecking ask']
        elif self.options.check_host_keys == 'ignore':
            bits += [
                '-o', 'StrictHostKeyChecking no',
                '-o', 'UserKnownHostsFile /dev/null',
                '-o', 'GlobalKnownHostsFile /dev/null',
            ]

this block definitely could use some updating

s1113950 avatar Nov 01 '20 03:11 s1113950

Here's a quickfix to emulate this behavior through ansible. It needs to be run in a role with gather_facts: no (and also before any other roles that do require facts):

- name: Check if host key exists (red means no)
  local_action:
    module: command
    args: ssh-keygen -l -F "{{ ansible_ssh_host }}"
  ignore_errors: yes
  changed_when: no
  register: host_registered

- name: Trust the new host
  local_action:
    module: shell
    args: ssh-keyscan -H "{{ ansible_ssh_host }}" >> $HOME/.ssh/known_hosts
  when:
  - host_registered.rc > 0

andsens avatar Nov 04 '21 16:11 andsens

Where/how would I set the check_host_keys option?

incognico avatar Nov 06 '21 17:11 incognico