Skip to content

Instantly share code, notes, and snippets.

Created June 12, 2014 11:09
Show Gist options
  • Save maxim/871e611d4bc02c633c67 to your computer and use it in GitHub Desktop.
Save maxim/871e611d4bc02c633c67 to your computer and use it in GitHub Desktop.
Adding github to known_hosts with ansible
- name: ensure is a known host
dest: /root/.ssh/known_hosts
create: yes
state: present
line: "{{ lookup('pipe', 'ssh-keyscan -t rsa') }}"
regexp: "^github\\.com"
Copy link

holms commented Sep 7, 2015

You're a genius, i couldn't find how this module works at all.. finally!!!

Copy link

patricknelson commented Sep 18, 2015

I'm actually adapting this to puppet; I wasn't aware of this utility ssh-keyscan and that I could use it to lookup the key for use in known_hosts. Thank you and thanks google 👍

Example usage in puppet:

  # Ensure is in the "known_hosts" file...
  # NOTE: This is needed for npm (when deploying code).
  exec { "${username}_known_hosts":
    command => "/usr/bin/ssh-keyscan -t rsa >> /home/${username}/.ssh/known_hosts",
    unless  => "/bin/grep /home/${username}/.ssh/known_hosts",
    require => File["/home/${username}/.ssh"]

Note: This of course also assumes you've got a declaration for setting up the .ssh directory as well (see last require statement).

Copy link

i used this :

  • name: tell the host about our servers it might want to ssh to
    known_hosts: path='/home/deploy/.ssh/known_hosts' name='' key="{{ lookup('pipe', 'ssh-keyscan -t rsa') }}"
    sudo_user: deploy

Copy link

Nice one.
Thanks :)

Copy link

It is worth noting that this leaves you vunerable to Man In The Middle attacks. It might be better to run ssh-keyscan once and store the key and use that rather look up every time. Though then it will not auto-update.

Copy link

mmulich commented Mar 21, 2016

Thank you. 😄

Copy link

whatthefrog commented Jun 16, 2016

Nice task, but 2 points to be noted

  • this "blindly" accept the scanned key as the legit one ... no-where its fingerprint is compared to the expected one
  • if using /etc/ssh/ssh_config option HashKnownHosts yes, this ansible task leaves the host ( unhashed in dest: /root/.ssh/known_hosts

Copy link

pajtai commented Sep 8, 2017

Nice, I couldn't get the known_hosts module to work, but this did!

If you want hashing you can do: ssh-keyscan -H -t rsa

To check if you have hashing on you could register: cat /etc/ssh/ssh_config | grep -q 'HashKnownHosts\s\s*yes', then do a when succeeded for the hashing.

Checking if the lines been added gets trickier if you hash it though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment