Skip to content

Instantly share code, notes, and snippets.

@maxim
Created June 12, 2014 11:09
Show Gist options
  • Save maxim/871e611d4bc02c633c67 to your computer and use it in GitHub Desktop.
Save maxim/871e611d4bc02c633c67 to your computer and use it in GitHub Desktop.
Adding github to known_hosts with ansible
- name: ensure github.com is a known host
lineinfile:
dest: /root/.ssh/known_hosts
create: yes
state: present
line: "{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
regexp: "^github\\.com"
@holms
Copy link

holms commented Sep 7, 2015

You're a genius, i couldn't find how this module works at all.. finally!!!

@patricknelson
Copy link

patricknelson commented Sep 18, 2015

I'm actually adapting this to puppet; I wasn't aware of this utility ssh-keyscan and that I could use it to lookup the key for use in known_hosts. Thank you and thanks google 👍

Example usage in puppet:

  # Ensure github.com is in the "known_hosts" file...
  # NOTE: This is needed for npm (when deploying code).
  exec { "${username}_known_hosts":
    command => "/usr/bin/ssh-keyscan -t rsa github.com >> /home/${username}/.ssh/known_hosts",
    unless  => "/bin/grep github.com /home/${username}/.ssh/known_hosts",
    require => File["/home/${username}/.ssh"]
  }

Note: This of course also assumes you've got a declaration for setting up the .ssh directory as well (see last require statement).

@klemenkobetic
Copy link

i used this :

  • name: tell the host about our servers it might want to ssh to
    known_hosts: path='/home/deploy/.ssh/known_hosts' name='github.com' key="{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
    sudo_user: deploy

@chrisbeyer
Copy link

Nice one.
Thanks :)

@IkeLutra
Copy link

It is worth noting that this leaves you vunerable to Man In The Middle attacks. It might be better to run ssh-keyscan once and store the key and use that rather look up every time. Though then it will not auto-update.

@mmulich
Copy link

mmulich commented Mar 21, 2016

Thank you. 😄

@whatthefrog
Copy link

whatthefrog commented Jun 16, 2016

Nice task, but 2 points to be noted

  • this "blindly" accept the scanned key as the legit one ... no-where its fingerprint is compared to the expected one
  • if using /etc/ssh/ssh_config option HashKnownHosts yes, this ansible task leaves the host (github.com) unhashed in dest: /root/.ssh/known_hosts

@pajtai
Copy link

pajtai commented Sep 8, 2017

Nice, I couldn't get the known_hosts module to work, but this did!

If you want hashing you can do: ssh-keyscan -H -t rsa github.com.

To check if you have hashing on you could register: cat /etc/ssh/ssh_config | grep -q 'HashKnownHosts\s\s*yes', then do a when succeeded for the hashing.

Checking if the lines been added gets trickier if you hash it though...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment