Request for ec2 module to retrieve and store ssh host fingerprint in known_hosts

[junglhilt]

Issue Type:

Feature Idea

Ansible Version:

ansible 1.8.2
configured module search path = None

Environment:

managing : ubuntu 12.04
management machine : OSX but it is not really applicable

Summary:

Add ssh host key fingerprint to known_hosts when using the ec2 module to initialise instances.

Steps To Reproduce:

When creating an instance in ec2 it would save a lot of time if the Ansible ec2 module could retrieve the ssh host key fingerprint from the console output using the ec2 api (ec2-get-console-output or boto) and then place it in my known_hosts.

I am using ami-f41a49a6 which is an ubuntu image. I am guessing this depends on cloud-init to provide the ssh host key fingerprint to the ec2 metadata service?

Expected Results:

The result would be being able to immediately use Ansible to provision a host without prompting to verify the ssh host key fingerprint (I know this can be disabled by I am concerned with the risk of man in the middle attacks) and then like.

Actual Results:

The ec2 module doesn't even seem to be aware of the ssh host key fingerprint.

[daniilyar]

+1, disabling SSH key checking is completely not an option for this case.

[danwashusen]

+1, having to manually type 'yes' within a timeout causes me a lot of grief. Anyone know of a workaround?

[junglhilt]

I use saltstack to provision and then manage the hosts using ansible. Maybe we should get this done on odesk or indiegogo?

On 4 Mar 2015, at 3:19 pm, Dan Washusen notifications@github.com wrote:

+1, having to manually type 'yes' within a timeout causes me a lot of grief. Anyone know of a workaround?

—
Reply to this email directly or view it on GitHub.

[danwashusen]

@junglhilt I'm happy to contribute funds to the odesk or indiegogo job...

[junglhilt]

@bcoca can you give us an estimate of the time to implement this and would you accept a pull request for this assuming it meets all requirements? @danwashusen and I are thinking of creating a bounty for this at http://www.bountysource.com.

[josnidhin]

+1 would like to see this feature soon.

[bcoca]

I don't see us rejecting a PR that adds this to the return of ec2 so it can be registered and used, even adding this to ec2.py inventory and/or ec2_facts might prove very useful.

[cpopov]

+1 I am new user to Ansible, just tried to use it for EC2 provisioning and this is a huge show stopper for me.

[josnidhin]

My current solution is to do the following soon after ec2 provisioning

- name: Add the instances to known hosts
  local_action: command sh -c 'ssh-keyscan -t {{ key_type }} {{ item.public_ip }} >> $HOME/.ssh/known_hosts'
  with_items: ec2.instances

[junglhilt]

@josnidhin thanks for your suggestion however the whole point is to verify the ssh host key fingerprint out of band before or so that it can be trusted.

@danwashusen I have just posted a $50 bounty for this...not sure if you can add funds to the existing bounty?

[junglhilt]

nice work @giacomolozito - I will let you know once I have tested him if @bcoca doesn't beat me to it! (not that I have write permissions on the repo but I thought I would test it since I have created a bounty for it!)