maxim/task.yml

You're a genius, i couldn't find how this module works at all.. finally!!!

I'm actually adapting this to puppet; I wasn't aware of this utility ssh-keyscan and that I could use it to lookup the key for use in known_hosts. Thank you and thanks google 👍

Example usage in puppet:

  # Ensure github.com is in the "known_hosts" file...
  # NOTE: This is needed for npm (when deploying code).
  exec { "${username}_known_hosts":
    command => "/usr/bin/ssh-keyscan -t rsa github.com >> /home/${username}/.ssh/known_hosts",
    unless  => "/bin/grep github.com /home/${username}/.ssh/known_hosts",
    require => File["/home/${username}/.ssh"]
  }

Note: This of course also assumes you've got a declaration for setting up the .ssh directory as well (see last require statement).

i used this :

• name: tell the host about our servers it might want to ssh to
  known_hosts: path='/home/deploy/.ssh/known_hosts' name='github.com' key="{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
  sudo_user: deploy

Nice one.
Thanks :)

It is worth noting that this leaves you vunerable to Man In The Middle attacks. It might be better to run ssh-keyscan once and store the key and use that rather look up every time. Though then it will not auto-update.

Thank you. 😄

Nice task, but 2 points to be noted

• this "blindly" accept the scanned key as the legit one ... no-where its fingerprint is compared to the expected one
• if using /etc/ssh/ssh_config option HashKnownHosts yes, this ansible task leaves the host (github.com) unhashed in dest: /root/.ssh/known_hosts

Nice, I couldn't get the known_hosts module to work, but this did!

If you want hashing you can do: ssh-keyscan -H -t rsa github.com.

To check if you have hashing on you could register: cat /etc/ssh/ssh_config | grep -q 'HashKnownHosts\s\s*yes', then do a when succeeded for the hashing.

Checking if the lines been added gets trickier if you hash it though...