Ansible - known_hosts module

If you are not familiar with modules, check out Ansible - Getting Started with Modules.

The known_hosts module is used to append an SSH servers public certificates to a known_hosts file. In this example, an SSH key is appended to John Doe's known_hosts file on each managed node the play is run against.

- name: append server1.example.com SSH key to John Doe's known_hosts file
  known_hosts:
    path: /home/john.doe/.ssh/known_hosts
    name: server1.example.com
    key: "server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpFc+HimGAZWJcAgRx6P8ycxh2JRHBeaTfVzu/HncxP0nR

 

Example scenario

Let's say you have a playbook named foo.yml, and the playbook contains the following.

---
- hosts: all
  tasks:
    - name: "store the stats of example.txt in the 'out' variable"
      stat:
        path: "/path/to/example.txt"
      register: "out"

 

Let's say the foo.yml playbook resides on server1.example.com. Here is one way to run this playbook against server2.example.com. This will make an SSH connection from server1.example.com to server2.example.com.

[john.doe@server1.example.com]# ansible-playbook foo.yml -i server2.example.com,

 

In this example, if the public certificate of the managed node (server2.example.com) is not listed in the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the control node (server1.example.com), a prompt will appear stating The authenticity of host 'hostname (ip address)' can't be established, like this.

The authenticity of host 'server2.example.com (10.14.157.95)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?

 

Typing yes and pressing enter will append the public certificate of the managed node (server2.example.com) to the known_hosts file on the control node (server1.example.com). However, this is the antithesis of automation.

 

Gather Facts

In this sceanrio, gather_facts will need to be disabled, since the gathering of facts makes an SSH connection to the managed node.

---
- hosts: all
  gather_facts: false

 

ssh-keyscan

The command or shell modules with the local_action module, delegate_to parameter or connection parameter can be used to invoke the ssh-keyscan command to get the SSH key of a managed node.

- name: ssh-keyscan -t ecdsa {{ inventory_hostname }}
  connection: local
  command: ssh-keyscan -t ecdsa {{ inventory_hostname }} | grep -v ^#
  register: ecdsa_key

 

The debug module can be used to display the contents of the ecdsa_key variable.

- name: display the contents of the 'ecdsa_key' variable
  debug: 
    var: ecdsa_key

 

Which should return something like this.

TASK [display the contents of the 'ecdsa_key' variable]
ok: [server1.example.com] => {
    "msg": "server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpFc+HimGAZWJcAgRx6P8ycxh2JRHBeaTfVzu/HncxP0nRt2jLxQIr9vaOi13IqwTnaJe4XYo5Fgl6J3MmrJcs="
}

 

Create the /etc/ssh/ssh_known_hosts file

In this example, if the /etc/ssh/ssh_known_hosts file does not exist, the known_hosts module will be unable to create the ssh_known_hosts file. Thus, the file module can be used to ensure /etc/ssh/ssh_known_hosts exists.

- name: create the /etc/ssh/ssh_known_hosts file
  file:
    path: /etc/ssh/ssh_known_hosts
    owner: root
    group: root
    mode: "0644"
  delegate_to: localhost

 

Then, the known_hosts module is used to append the key to the known_hosts file.

- name: append SSH keys to the ssh_known_hosts file
  known_hosts:
    path: /etc/ssh/ssh_known_hosts
    name: "{{ inventory_hostname }}"
    key: "{{ ecdsa_key.stdout }}"
  delegate_to: localhost

 

As long as the public certificate remains in the known hosts file on the control node, the authenticity of host 'hostname (ip address)' can't be established will not be displayed when making an SSH connection to the managed node.

server1.example.org | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

 

Remove an SSH key (state: absent)

The state: absent parameter can be used to remove an SSH key from a known_hosts file.

- name: remove server1.example.com SSH key from John Doe's known_hosts file
  known_hosts:
    path: /home/john.doe/.ssh/known_hosts
    name: server1.example.com
    key: "server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpFc+HimGAZWJcAgRx6P8ycxh2JRHBeaTfVzu/HncxP0nR
    state: absent

 

Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter a1294 in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |