This role helps with managing SSH known hosts files.
If you do not need the functionality to overwrite offending SSH keys (variable force_overwrite_ssh_known_hosts
),
then you may have a look at OpenSSH's option StrictHostKeyChecking=accept-new
instead.
Details
- SSH host keys will be added to user's SSH known hosts file if is not present in any SSH known hosts file.
- Nothing is done if SSH host keys are present in any SSH known hosts file.
- The role will fail if an offending SSH key has been found in any SSH known hosts file and variable
force_overwrite_ssh_known_hosts
isno
. - If an offending SSH key has been found in any SSH known hosts file, but
force_overwrite_ssh_known_hosts
isyes
, then femove old SSH keys will be removed and the offending ones will be added to user's SSH known hosts file. - The SSH host key is matched against all known hosts files (SSH's options
globalknownhostsfile
anduserknownhostsfile
) which are configured for Ansible's SSH connection. - SSH host keys will be added to the first known hosts file listed for the user (
userknownhostsfile
). - If multiple known hosts files have been configured in SSH, then SSH keys will be added to the first user known hosts
file. This behaviour matches OpenSSH's source file
sshconnect.c
, which says that if host keys get added, then they get added to the first file (akauser_hostfiles[0]
) in the list of hosts files.
Tested OS images
- Cloud images of
Debian 10 (Buster)
[amd64
] - Generic cloud image of
CentOS 7 (Core)
[amd64
] - Generic cloud image of
CentOS 8 (Core)
[amd64
] - Ubuntu cloud image of
Ubuntu 18.04 LTS (Bionic Beaver)
[amd64
] - Ubuntu cloud image of
Ubuntu 20.04 LTS (Focal Fossa)
[amd64
]
Available on Ansible Galaxy: jm1.known_hosts
None.
Name | Default value | Required | Description |
---|---|---|---|
force_overwrite_ssh_known_hosts |
no |
no | Overwrite SSH known hosts file if Ansible host has an offending SSH key. |
None.
- hosts: all
connection: local
serial: 1 # Prevent concurrent writes to known hosts file
roles:
- name: Manage SSH known hosts
role: jm1.known_hosts
# Optional: Pass variables to role
vars:
force_overwrite_ssh_known_hosts: yes
For instructions on how to run Ansible playbooks have look at Ansible's Getting Started Guide.
GNU General Public License v3.0 or later
See LICENSE.md to see the full text.