Skip to content

Instantly share code, notes, and snippets.

@shirou
Last active March 14, 2024 12:16
Show Gist options
  • Save shirou/6928012 to your computer and use it in GitHub Desktop.
Save shirou/6928012 to your computer and use it in GitHub Desktop.
run ssh-keyscan to add keys to known_hosts. This is a playbook for ansible
---
- hosts: all
gather_facts: no
sudo: no
tasks:
- name: run ssh-keyscan to add keys to known_hosts
local_action: shell ssh-keyscan {{ ansible_ssh_host }} >> ~/.ssh/known_hosts
@sicet7
Copy link

sicet7 commented Oct 17, 2021

I am running Ansible 2.11
And i have these 2 working 4 any1 interested :-)
They are based on the same pipe solution @rdkls made :-)

-   hosts: all
    gather_facts: no
    become: no

    tasks:
        -   name: Setup Known Hosts With Port
            delegate_to: localhost
            known_hosts:
                key: "{{ lookup('pipe', 'ssh-keyscan -trsa -p ' + lookup('config', 'DEFAULT_REMOTE_PORT') | string + ' ' + inventory_hostname) }}"
                name: "{{ inventory_hostname }}"
                state: present
            when: lookup('config', 'DEFAULT_REMOTE_PORT') | string != "None"

        -   name: Setup Known Hosts Without Port
            delegate_to: localhost
            known_hosts:
                key: "{{ lookup('pipe', 'ssh-keyscan -trsa ' + inventory_hostname) }}"
                name: "{{ inventory_hostname }}"
                state: present
            when: lookup('config', 'DEFAULT_REMOTE_PORT') | string == "None"
-   hosts: 127.0.0.1
    connection: local
    gather_facts: no
    become: no

    tasks:
        -   name: Setup Known Hosts With Port
            known_hosts:
                key: "{{ lookup('pipe', 'ssh-keyscan -trsa -p' + lookup('config', 'DEFAULT_REMOTE_PORT') | string + ' ' + item.value.inventory_hostname) }}"
                name: "{{ item.value.inventory_hostname }}"
                state: present
            when: lookup('config', 'DEFAULT_REMOTE_PORT') | string != "None"
            with_items: "{{ hostvars | dict2items }}"

        -   name: Setup Known Hosts Without Port
            known_hosts:
                key: "{{ lookup('pipe', 'ssh-keyscan -trsa ' + item.value.inventory_hostname) }}"
                name: "{{ item.value.inventory_hostname }}"
                state: present
            when: lookup('config', 'DEFAULT_REMOTE_PORT') | string == "None"
            with_items: "{{ hostvars | dict2items }}"

@DanielDavis5
Copy link

Ditch the pipes.

- name: Scan for SSH host keys.
  local_action:
    module: shell
    cmd: ssh-keyscan 192.168.1.1 2>/dev/null
  changed_when: False
  register: ssh_scan

- name: Update known_hosts.
  local_action:
    module: known_hosts
    key: "{{ item }}"
    name: "{{ ansible_host }}"
  with_items: "{{ ssh_scan.stdout_lines }}"

@oerp-odoo
Copy link

@DanielDavis5 this is a good solution as you don't need to use extra hacks. Though to me it was not working if I was redirecting to /dev/null, all the output would be registered to stderr. If I keep ssh-keyscan some-host only, then it works fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment