Skip to content

Instantly share code, notes, and snippets.

@maxim
Created June 12, 2014 11:09
Show Gist options
  • Save maxim/871e611d4bc02c633c67 to your computer and use it in GitHub Desktop.
Save maxim/871e611d4bc02c633c67 to your computer and use it in GitHub Desktop.
Adding github to known_hosts with ansible
- name: ensure github.com is a known host
lineinfile:
dest: /root/.ssh/known_hosts
create: yes
state: present
line: "{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
regexp: "^github\\.com"
@klemenkobetic
Copy link

i used this :

  • name: tell the host about our servers it might want to ssh to
    known_hosts: path='/home/deploy/.ssh/known_hosts' name='github.com' key="{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
    sudo_user: deploy

@chrisbeyer
Copy link

Nice one.
Thanks :)

@IkeLutra
Copy link

It is worth noting that this leaves you vunerable to Man In The Middle attacks. It might be better to run ssh-keyscan once and store the key and use that rather look up every time. Though then it will not auto-update.

@mmulich
Copy link

mmulich commented Mar 21, 2016

Thank you. 😄

@whatthefrog
Copy link

whatthefrog commented Jun 16, 2016

Nice task, but 2 points to be noted

  • this "blindly" accept the scanned key as the legit one ... no-where its fingerprint is compared to the expected one
  • if using /etc/ssh/ssh_config option HashKnownHosts yes, this ansible task leaves the host (github.com) unhashed in dest: /root/.ssh/known_hosts

@pajtai
Copy link

pajtai commented Sep 8, 2017

Nice, I couldn't get the known_hosts module to work, but this did!

If you want hashing you can do: ssh-keyscan -H -t rsa github.com.

To check if you have hashing on you could register: cat /etc/ssh/ssh_config | grep -q 'HashKnownHosts\s\s*yes', then do a when succeeded for the hashing.

Checking if the lines been added gets trickier if you hash it though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment