If you are not familiar with modules, check out Ansible - Getting Started with Modules.
The known_hosts module is used to append an SSH servers public certificates to a known_hosts file. In this example, an SSH key is appended to John Doe's known_hosts file on each managed node the play is run against.
- name: append server1.example.com SSH key to John Doe's known_hosts file
known_hosts:
path: /home/john.doe/.ssh/known_hosts
name: server1.example.com
key: "server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpFc+HimGAZWJcAgRx6P8ycxh2JRHBeaTfVzu/HncxP0nR
Example scenario
Let's say you have a playbook named foo.yml, and the playbook contains the following.
---
- hosts: all
tasks:
- name: "store the stats of example.txt in the 'out' variable"
stat:
path: "/path/to/example.txt"
register: "out"
Let's say the foo.yml playbook resides on server1.example.com. Here is one way to run this playbook against server2.example.com. This will make an SSH connection from server1.example.com to server2.example.com.
[john.doe@server1.example.com]# ansible-playbook foo.yml -i server2.example.com,
In this example, if the public certificate of the managed node (server2.example.com) is not listed in the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the control node (server1.example.com), a prompt will appear stating The authenticity of host 'hostname (ip address)' can't be established, like this.
The authenticity of host 'server2.example.com (10.14.157.95)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84 F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?
Typing yes and pressing enter will append the public certificate of the managed node (server2.example.com) to the known_hosts file on the control node (server1.example.com). However, this is the antithesis of automation.
Gather Facts
In this sceanrio, gather_facts will need to be disabled, since the gathering of facts makes an SSH connection to the managed node.
---
- hosts: all
gather_facts: false
ssh-keyscan
The command or shell modules with the local_action module, delegate_to parameter or connection parameter can be used to invoke the ssh-keyscan command to get the SSH key of a managed node.
- name: ssh-keyscan -t ecdsa {{ inventory_hostname }}
connection: local
command: ssh-keyscan -t ecdsa {{ inventory_hostname }} | grep -v ^#
register: ecdsa_key
The debug module can be used to display the contents of the ecdsa_key variable.
- name: display the contents of the 'ecdsa_key' variable
debug:
var: ecdsa_key
Which should return something like this.
TASK [display the contents of the 'ecdsa_key' variable]
ok: [server1.example.com] => {
"msg": "server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpFc+HimGAZWJcAgRx6P8ycxh2JRHBeaTfVzu/HncxP0nRt2jLxQIr9vaOi13IqwTnaJe4XYo5Fgl6J3MmrJcs="
}
Create the /etc/ssh/ssh_known_hosts file
In this example, if the /etc/ssh/ssh_known_hosts file does not exist, the known_hosts module will be unable to create the ssh_known_hosts file. Thus, the file module can be used to ensure /etc/ssh/ssh_known_hosts exists.
- name: create the /etc/ssh/ssh_known_hosts file
file:
path: /etc/ssh/ssh_known_hosts
owner: root
group: root
mode: "0644"
delegate_to: localhost
Then, the known_hosts module is used to append the key to the known_hosts file.
- name: append SSH keys to the ssh_known_hosts file
known_hosts:
path: /etc/ssh/ssh_known_hosts
name: "{{ inventory_hostname }}"
key: "{{ ecdsa_key.stdout }}"
delegate_to: localhost
As long as the public certificate remains in the known hosts file on the control node, the authenticity of host 'hostname (ip address)' can't be established will not be displayed when making an SSH connection to the managed node.
server1.example.org | SUCCESS => {
"changed": false,
"ping": "pong"
}
Remove an SSH key (state: absent)
The state: absent parameter can be used to remove an SSH key from a known_hosts file.
- name: remove server1.example.com SSH key from John Doe's known_hosts file
known_hosts:
path: /home/john.doe/.ssh/known_hosts
name: server1.example.com
key: "server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNpFc+HimGAZWJcAgRx6P8ycxh2JRHBeaTfVzu/HncxP0nR
state: absent