On Thursday, 22 November 2018 12:22:42 CET Mark Zhitomirski wrote: > Traditional approach is to leave it to a human operator and warn him of a > new host key. > This way is a no-go for automation and testing, a workaround is to disable > host-key checks with ansible_ssh_extra_args: '-o StrictHostKeyChecking=no' > like here: > https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53 > > It seems to me that a better way would be to auto-add host-key if this is a > wholly new host (and maybe check for key uniqueness).
Auto add host for only new host is StrictHostKeyChecking=accept-new > My understanding is that this is a job for a certain Ansible plugin, cause > host-key handling is not dependent on specific cloud/provisioning module > (digital_ocean_droplet in my case) > So far I couldn't find any plugin of this sort and kindly ask for pointers. Ansible i relying on ssh and doesn't handle this for the Ansible controller since it have no way of knowing if the host key is valid or not. To do this in a secure manner you need to inject a know or a sign ssh host key in the instance at creation time. -- Kai Stian Olstad -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/17153902.pEk8bVcs9g%40x1. For more options, visit https://groups.google.com/d/optout.
