On Sun, 08 Jun 2014 02:42:41 +0100 Michael Scherer <[email protected]> wrote:
> I do not see that in /etc/ssh/ssh_config on lockbox ( could be in > ~/.ssh/config however ), nor anything in /etc/ansible/ansible.cfg > ( could again be a local config somewhere else ). I didn't find > anything making see a different ~/.ssh/config, nor ~/.ansible/* , so > I think the default is used, which is 'ask'. Yeah, although 'ask' means: If you don't know the host at all, ask. If the host key doesn't match, reject. > > And after a quick crude test, if you have ssh listening on 2 ports, > ssh will treat each as a different entry in known_hosts, and so ask > again. ( or at least on my laptop, I didn't dig more given the hour, > will try to search a bit more ). > > So while I am not affirmative at 100% ( again, could be different in > the precise case of ansible in Fedora infra, could be one of the 360 > lines of my own ssh config, could be me being tired ), I would not > exclude a possible issue with what I do see. Sure. Keep in mind that while we like rbac-playbook to be nice and secure, it's use is for people that are already trusted to have access to lockbox, are in a group that has sudo for rbac-playbook, have entered their password and 2fa token. It's simply a way to restrict them to the machines that are in their group(s)... kevin
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/infrastructure
