On Sat, Nov 24, 2018 at 12:25 PM Kai Stian Olstad < [email protected]> wrote:
> On Thursday, 22 November 2018 12:22:42 CET Mark Zhitomirski wrote: > > Traditional approach is to leave it to a human operator and warn him of > a > > new host key. > > This way is a no-go for automation and testing, a workaround is to > disable > > host-key checks with ansible_ssh_extra_args: '-o > StrictHostKeyChecking=no' > > like here: > > > https://github.com/mz0/ansible-digitalocean/blob/186eb84df/launch.yml#L53 > > > > It seems to me that a better way would be to auto-add host-key if this > is a > > wholly new host (and maybe check for key uniqueness). > > Auto add host for only new host is > StrictHostKeyChecking=accept-new > That's interesting, I'll check that. > > > > My understanding is that this is a job for a certain Ansible plugin, > cause > > host-key handling is not dependent on specific cloud/provisioning module > > (digital_ocean_droplet in my case) > > So far I couldn't find any plugin of this sort and kindly ask for > pointers. > > Ansible i relying on ssh and doesn't handle this for the Ansible > controller since it have no way of knowing if the host key is valid or not. > > To do this in a secure manner you need to inject a know or a sign ssh host > key in the instance at creation time. > I do not pursuit 100% control of host-key, there's little point to do so for a public cloud host instance. Basic sanity check is OK for me and for majority of cloud users I suppose. Hope I'll find a way to it using your pointer. Thanks Kai! > -- > Kai Stian Olstad > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/17153902.pEk8bVcs9g%40x1 > . > For more options, visit https://groups.google.com/d/optout. > -- MZ -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJLNCaTn4%3DBQ5LAir1EOqWyr210aBO6y6AWDKVownY3uUe7DUw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
