Use dynamic HostKeyAlgorithms SSH option for unknown hosts

Resulting HostKeyAlgorithms option... - is omitted if host already in known_hosts - is omitted if `dynamic_host_key_algorithms: false` (default: true) - includes ed25519 types only if local machine has OpenSSH 6.5+
roots · Mar 24, 2017 · 2ab35ce · 2ab35ce
1 parent a7506ed
commit 2ab35ce
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/ansible.cfg b/ansible.cfg
@@ -10,5 +10,5 @@ roles_path = vendor/roles
 vars_plugins = ~/.ansible/plugins/vars_plugins/:/usr/share/ansible_plugins/vars_plugins:lib/trellis/plugins/vars
 
 [ssh_connection]
-ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
+ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s
 pipelining = True
diff --git a/roles/connection/defaults/main.yml b/roles/connection/defaults/main.yml
@@ -0,0 +1,5 @@
+ansible_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ansible_host + ' > /dev/null 2>&1 && echo True || echo False') }}"
+ssh_config_host: "{{ lookup('pipe', 'ssh -G ' + ansible_host + ' 2>/dev/null | grep \"^hostname\" ||:') | regex_replace('^hostname ([^\\s]+)', '\\1') }}"
+ssh_config_host_known: "{{ lookup('pipe', 'ssh-keygen -F ' + ssh_config_host + ' > /dev/null 2>&1 && echo True || echo False') }}"
+openssh_6_5_plus: "{{ (lookup('pipe', 'ssh -V 2>&1')) | regex_replace('(.*OpenSSH_([\\d\\.]*).*)', '\\2') | version_compare('6.5', '>=') }}"
+host_key_algorithms: "{{ openssh_6_5_plus | ternary('ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa', 'ssh-rsa-cert-v01@openssh.com,ssh-rsa') }}"
diff --git a/roles/connection/tasks/main.yml b/roles/connection/tasks/main.yml
@@ -6,8 +6,20 @@
       ansible-playbook server.yml -e env={{ env | default('production') }} -u root --ask-pass
   when: dynamic_user | default(true) and ansible_user is not defined and cli_ask_pass | default(false)
 
+- name: Specify preferred HostKeyAlgorithms for unknown hosts
+  set_fact:
+    ansible_ssh_extra_args: -o HostKeyAlgorithms={{ host_key_algorithms }}
+  register: preferred_host_key_algorithms
+  when:
+    - dynamic_host_key_algorithms | default(true)
+    - ansible_ssh_extra_args == ''
+    - not (ansible_host_known or ssh_config_host_known)
+
 - name: Check whether Ansible can connect as {{ dynamic_user | default(true) | ternary('root', web_user) }}
-  local_action: command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }} {{ cli_options | default('') }} -vvvv
+  local_action: |
+    command ansible {{ inventory_hostname }} -m raw -a whoami -u {{ dynamic_user | default(true) | ternary('root', web_user) }}
+    {{ ('--ssh-extra-args' not in cli_options) | ternary('--ssh-extra-args="' + ansible_ssh_extra_args + '"', '') }}
+    {{ cli_options | default('') }} -vvvv
   failed_when: false
   changed_when: false
   check_mode: no
@@ -45,7 +57,21 @@
 
   - name: Announce which user was selected
     debug:
-      msg: "Note: Ansible will attempt connections as user = {{ ansible_user }}"
+      msg: |
+        Note: Ansible will attempt connections as user = {{ ansible_user }}
+        {% if preferred_host_key_algorithms | changed %}
+
+        Note: The host `{{ ansible_host }}` was not detected in known_hosts
+        so Trellis prompted the host to offer a key type that will work with
+        the stronger key types Trellis configures on the server. This avoids future
+        connection failures due to changed host keys. Trellis used this SSH option:
+
+          {{ ansible_ssh_extra_args }}
+
+        To prevent Trellis from ever using this SSH option, add this to group_vars:
+
+          dynamic_host_key_algorithms: false
+        {% endif %}
 
   - name: Load become password
     set_fact: