Per IRC, I'm open to that being a thing.
On Mon, Jun 9, 2014 at 1:04 PM, Jesse Keating <[email protected]> wrote: > ansible_ssh_args does not appear to be a config value used by Ansible. > > [ssh_connection] > ssh_args > > that is read, and looking at the source, it appears the environment > ANSIBLE_SSH_ARGS is read by the ssh connection plugin. > > I'll try to play around and see if I can get that manipulated /in the > middle/ of a playbook, but it looks fairly awkward to accomplish. This is a > setting we'd want to set after the initial few connections. > > -jlk > > > On Mon, Jun 9, 2014 at 7:44 AM, Michael DeHaan <[email protected]> > wrote: > >> ansible_ssh_args is leveragable here to pass additional arguments correct? >> >> Also this is configurable in ansible.cfg. >> >> >> >> >> On Sat, Jun 7, 2014 at 11:34 AM, Brent Langston <[email protected]> >> wrote: >> >>> I see your logic, but I think this world break a use case I have in my >>> environment where a bot layers on the appropriate key depending on what it >>> is doing. >>> >>> There is the config key for initiating a config run, the provisioning >>> key for each environment, the deploy key for each environment, and the >>> security group key for each region. >>> >>> Config key is always in the agent, but the others are loaded as needed. >>> >>> The examples you mentioned seem more like something I would be doing >>> occasionally, or one off. For that situation, it would be just as easy to >>> drop keys from my agent to test a new key is working before removing the >>> old. >>> On Jun 7, 2014 1:08 AM, "Jesse Keating" <[email protected]> >>> wrote: >>> >>>> With ansible, one can define ansible_ssh_private_key=/some/key >>>> per-host, to define which private key will be sent along for which hosts. >>>> This is pretty useful, but I think it's missing the next bit of usefulness, >>>> using that private key /exclusively/. As it stands, when you define >>>> ansible_ssh_private_key, the Ansible code will add -o >>>> IdentityFile=/some/key to the SSH arguments. This directs SSH to /include/ >>>> this key along with the rest of the keys it may get from ssh-agent when >>>> attempting to make the connection. In order to use the defined key >>>> exclusively, an extra option needs to be passed along, -o >>>> IdentitiesOnly=yes . This will direct SSH to /only/ attempt using the >>>> provided private key. >>>> >>>> This functionality would be useful in key rotation, making sure the new >>>> key works before removing any old keys from authorized_keys. It also has >>>> security impact, making sure the remote side is responding to the specific >>>> key we're providing, indicating it has the public part of this particular >>>> key and not some other key that's letting ssh in. >>>> >>>> The code to add this doesn't look too bad, albeit spread across a few >>>> connection plugins and one module. I'm willing to put the work in if this >>>> is seen as as a useful and acceptable change in behavior. Note that at this >>>> time I'm not asking for an additional Ansible config entry or argument to >>>> toggle this feature, what I"m asking for is a behavior change to go along >>>> with the already existing config of ansible_ssh_private_key. >>>> >>>> -jlk >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/85C084BE-9C91-42AF-A2BD-6370132A41EF%40j2solutions.net >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com >>> <https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzHoJAV-P5SdovEwUSG%3D73O9m_%3DKmr%2B5-MGLZsWKKSNBQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
