ansible_ssh_args does not appear to be a config value used by Ansible. [ssh_connection] ssh_args
that is read, and looking at the source, it appears the environment ANSIBLE_SSH_ARGS is read by the ssh connection plugin. I'll try to play around and see if I can get that manipulated /in the middle/ of a playbook, but it looks fairly awkward to accomplish. This is a setting we'd want to set after the initial few connections. -jlk On Mon, Jun 9, 2014 at 7:44 AM, Michael DeHaan <[email protected]> wrote: > ansible_ssh_args is leveragable here to pass additional arguments correct? > > Also this is configurable in ansible.cfg. > > > > > On Sat, Jun 7, 2014 at 11:34 AM, Brent Langston <[email protected]> > wrote: > >> I see your logic, but I think this world break a use case I have in my >> environment where a bot layers on the appropriate key depending on what it >> is doing. >> >> There is the config key for initiating a config run, the provisioning key >> for each environment, the deploy key for each environment, and the security >> group key for each region. >> >> Config key is always in the agent, but the others are loaded as needed. >> >> The examples you mentioned seem more like something I would be doing >> occasionally, or one off. For that situation, it would be just as easy to >> drop keys from my agent to test a new key is working before removing the >> old. >> On Jun 7, 2014 1:08 AM, "Jesse Keating" <[email protected]> >> wrote: >> >>> With ansible, one can define ansible_ssh_private_key=/some/key per-host, >>> to define which private key will be sent along for which hosts. This is >>> pretty useful, but I think it's missing the next bit of usefulness, using >>> that private key /exclusively/. As it stands, when you define >>> ansible_ssh_private_key, the Ansible code will add -o >>> IdentityFile=/some/key to the SSH arguments. This directs SSH to /include/ >>> this key along with the rest of the keys it may get from ssh-agent when >>> attempting to make the connection. In order to use the defined key >>> exclusively, an extra option needs to be passed along, -o >>> IdentitiesOnly=yes . This will direct SSH to /only/ attempt using the >>> provided private key. >>> >>> This functionality would be useful in key rotation, making sure the new >>> key works before removing any old keys from authorized_keys. It also has >>> security impact, making sure the remote side is responding to the specific >>> key we're providing, indicating it has the public part of this particular >>> key and not some other key that's letting ssh in. >>> >>> The code to add this doesn't look too bad, albeit spread across a few >>> connection plugins and one module. I'm willing to put the work in if this >>> is seen as as a useful and acceptable change in behavior. Note that at this >>> time I'm not asking for an additional Ansible config entry or argument to >>> toggle this feature, what I"m asking for is a behavior change to go along >>> with the already existing config of ansible_ssh_private_key. >>> >>> -jlk >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/85C084BE-9C91-42AF-A2BD-6370132A41EF%40j2solutions.net >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
