Skip to content

bfmartin/ansible-role-sshknownhosts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
defaults
defaults
 
 
library
library
 
 
meta
meta
 
 
tasks
tasks
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

sshknownhostsrole

This is an ansible role that manages the SSH known hosts file usually located at /etc/ssh/ssh_known_hosts or ~user/.ssh/known_hosts.

The main purpose of this role is to wrap the sshknownhosts module located at https://github.com/bfmartin/ansible-sshknownhosts and make it suitable for Ansible Galaxy.

Requirements

Any Unix-like system with an openssh server should work.

As of 2020-06-18, this module requires Python version 3. Python version 3.6.9 was used to develop the upgrade. This likely means the role is no longer compatible with Python version 2, though that is untested.

Security

If an ssh_known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerable to man in the middle attacks. On the other hand, if the security model allows such a risk, ssh-keyscan can help in the detection of tampered keyfiles or man in the middle attacks which have begun after the ssh_known_hosts file was created.

(taken from the ssh-keyscan man page)

Therefore, you can specify a fingerprint manually by providing the fingerprint attribute.

Role Variables

This role uses the following variables. and their default values:

ssh_known_hosts_path: The destination file to write to. The default is /etc/ssh/ssh_known_hosts and ~user/.ssh/known_hosts is a good alternative.

ssh_known_hosts_state: present or absent. the default is present

ssh_known_hosts_enctype: The public key encoding type to scan for. Choices are rsa, dsa, ecdsa or ed25519. Default is rsa.

ssh_known_hosts_port: The port to connect to when scanning the remote host. Default is 22.

ssh_known_hosts_keyscan: The program to use to scan with. The default is ssh-keyscan in the current path.

ssh_known_hosts: List of dictionaries the host and its attributes to scan:

ssh_known_hosts:
  - name: example.com
    state: present
    dest: /etc/ssh/ssh_known_hosts
    enctype: rsa
    port: 22
    keyscan: ssh-keyscan
    aliases:
      - www.example.com
      - www2.example.com

Dependencies

None.

Example Playbook

- hosts: all
  vars:
    ssh_known_hosts:
      - name: example.com
        state: present
        dest: /etc/ssh/ssh_known_hosts
        enctype: rsa
        port: 22
        keyscan: ssh-keyscan
        aliases:
          - www.example.com
          - www2.example.com
      - name: srv.example.com
        fingerprint: AAAAE2VjZHNhLXNoYTItbmlzdHAyN...
  roles:
    - role: sshknownhosts

License

BSD

Author Information

Byron F. Martin
Email: http://www.bfmartin.ca/contact
Github: bfmartin

About

An Ansible Galaxy role to wrap the ansible-sshknownhosts module

Resources

Readme

License

BSD-2-Clause license
Activity

Stars

7 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages