Cannot handle SSH host authenticity prompts for multiple hosts

[timwhitlock]

ISSUE TYPE

• Bug Report

COMPONENT NAME

SSH connection

ANSIBLE VERSION

ansible --version
ansible 2.4.0 (devel 6dd1fc6f34) last updated 2017/05/26 13:48:40 (GMT +100)
  config file =
  configured module search path = [u'/bin/ansible-source/library', u'/usr/share/ansible/']
  ansible python module location = /bin/ansible-source/lib/ansible
  executable location = /bin/ansible
  python version = 2.7.10 (default, Oct 23 2015, 19:19:21) [GCC 4.2.1 Compatible Apple LLVM 7.0.0 (clang-700.0.59.5)]

Same for stable-2.3

CONFIGURATION

defaults

OS / ENVIRONMENT

Host: Mac OS 10.11.6
Managing VM: CentOS 7 / Vagrant

SUMMARY

When running against multiple (new) hosts that have no entry in .ssh/known_hosts the "authenticity" prompts are all output at once to the command line. Entering "yes" to continue connecting does not work and simply receives the prompt again "Please type 'yes' or 'no':"

The problem does not exist when running against a single host. The entry "yes" is accepted.

STEPS TO REPRODUCE

Run any ansible command that connects via SSH against two or more hosts where the hosts are not present in the .ssh/known_hosts file.

EXPECTED RESULTS

Expected OS prompts to be queued, accepting user input of "yes", before proceeding to the next prompt.

ACTUAL RESULTS

Example using two hosts:

The authenticity of host '10.0.0.4 (10.0.0.4)' can't be established.
ECDSA key fingerprint is SHA256:WkPeJUhNdz/MX3zAy536BHZRC/9INGEQWGhsmAPzkEo.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '10.0.0.5 (10.0.0.5)' can't be established.
ECDSA key fingerprint is SHA256:UJCEM05W15HZuzOLRpxNli+Qnwei7j84u2lbpVFBqkI.
Are you sure you want to continue connecting (yes/no)? 
yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
...

[bcoca]

sounds like known_host locking is broken

[philipobrien]

Is there any solution available for this?

[alikins]

@timwhitlock @philipobrien If you have it, could you provide the ansible output with -vvvv verbosity when hitting this issue?

This is using the 'ssh' connection plugin? (ie, not paramiko...)

[philipobrien]

@alikins I don't think I'm using a plugin, just standard ssh access, but I could be wrong.

My Vagrant file is basically just

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/trusty64"
  config.ssh.insert_key = false
  config.vm.synced_folder ".", "/vagrant", disabled: true
  config.vm.provider :virtualbox do |v|
    v.memory = 256
    v.linked_clone = true
  end
  config.vm.define "app1" do |app|
    app.vm.hostname = "orc-app1.dev"
    app.vm.network :private_network, ip: "192.168.60.4"
  end
  config.vm.define "app2" do |app|
    app.vm.hostname = "orc-app2.dev"
    app.vm.network :private_network, ip: "192.168.60.5"
  end
  config.vm.define "db" do |db|
    db.vm.hostname = "orc-db.dev"
    db.vm.network :private_network, ip: "192.168.60.6"
  end
end

and my ansible hosts as defined in /etc/ansible/hosts

# Application servers
[app]
192.168.60.4
192.168.60.5

# Database server
[db]
192.168.60.6

# Group 'multi' with all servers
[multi:children]
app
db

# Variables that will be applied to all servers
[multi:vars]
ansible_user=vagrant
ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key

Then I just vagrant up and the result of ansible multi -a "hostname" -vvvv is shown below

No config file found; using defaults
Loading callback plugin minimal of type stdout, v2.0 from /Users/philip/.local/share/virtualenvs/ansible-SwnifpuM/lib/python3.6/site-packages/ansible/plugins/callback/__init__.py
META: ran handlers
Using module file /Users/philip/.local/share/virtualenvs/ansible-SwnifpuM/lib/python3.6/site-packages/ansible/modules/commands/command.py
Using module file /Users/philip/.local/share/virtualenvs/ansible-SwnifpuM/lib/python3.6/site-packages/ansible/modules/commands/command.py
<192.168.60.4> ESTABLISH SSH CONNECTION FOR USER: vagrant
Using module file /Users/philip/.local/share/virtualenvs/ansible-SwnifpuM/lib/python3.6/site-packages/ansible/modules/commands/command.py
<192.168.60.5> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.60.6> ESTABLISH SSH CONNECTION FOR USER: vagrant
<192.168.60.4> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/philip/.vagrant.d/insecure_private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=10 -o ControlPath=/Users/philip/.ansible/cp/1dc5e4da79 192.168.60.4 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<192.168.60.6> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/philip/.vagrant.d/insecure_private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=10 -o ControlPath=/Users/philip/.ansible/cp/1638ced516 192.168.60.6 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<192.168.60.5> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/Users/philip/.vagrant.d/insecure_private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=vagrant -o ConnectTimeout=10 -o ControlPath=/Users/philip/.ansible/cp/085d1da2e1 192.168.60.5 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
The authenticity of host '192.168.60.6 (192.168.60.6)' can't be established.
ECDSA key fingerprint is SHA256:lZKyYKDkK+VaUykqlm+sj22zfM7C6JgWmyIeStUHb3U.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '192.168.60.4 (192.168.60.4)' can't be established.
ECDSA key fingerprint is SHA256:CEhTnfXVrzw3/ERIExCtEUl+lUeJPb5yPRutgTJ/w9I.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '192.168.60.5 (192.168.60.5)' can't be established.
ECDSA key fingerprint is SHA256:dCo+mSyaufrQKyVe6x65V9dLZ7qMst7RlfzXmDyutoE.
Are you sure you want to continue connecting (yes/no)?

typing 'yes' just gets me a new prompt of

Please type 'yes' or 'no':

which never responds

but finally fails when I just hit return without typing 'yes'

192.168.60.4 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: OpenSSH_6.9p1, LibreSSL 2.1.8\r\ndebug1: Reading configuration data /Users/philip/.ssh/config\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 21: Applying options for *\r\ndebug1: /etc/ssh/ssh_config line 56: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/Users/philip/.ansible/cp/1dc5e4da79\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to 192.168.60.4 [192.168.60.4] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/philip/.vagrant.d/insecure_private_key type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/philip/.vagrant.d/insecure_private_key-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.9\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8\r\ndebug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: Authenticating to 192.168.60.4:22 as 'vagrant'\r\ndebug3: hostkeys_foreach: reading file \"/Users/philip/.ssh/known_hosts\"\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss\r\ndebug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug1: kex: server->client chacha20-poly1305@openssh.com <implicit> zlib@openssh.com\r\ndebug1: kex: client->server chacha20-poly1305@openssh.com <implicit> zlib@openssh.com\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: ecdsa-sha2-nistp256 SHA256:CEhTnfXVrzw3/ERIExCtEUl+lUeJPb5yPRutgTJ/w9I\r\ndebug3: hostkeys_foreach: reading file \"/Users/philip/.ssh/known_hosts\"\r\nHost key verification failed.\r\n",
    "unreachable": true
}

[nrwahl2]

@philipgough Does it help to turn off strict host key checking as a workaround?
https://stackoverflow.com/a/35564773

[hostragon-hosting]

Just add this:

ansible_ssh_common_args='-o StrictHostKeyChecking=no'

to /etc/ansible/hosts "[servers_group:vars]"

[ansibot]

@timwhitlock This issue is waiting for your response. Please respond or the issue will be closed.

click here for bot help

[timwhitlock]

The StrictHostKeyChecking workaround works for me

[tomthetommy]

Getting the same trying to ssh to 2 docker workers this morning.

TASK [Join Swarm Cluster as a Worker] ******************************************
The authenticity of host '3x.xx.xx.xx (3x.xx.xx.xx)' can't be established.
ECDSA key fingerprint is SHA256:bOoUXzv95H2gK89yk5JKad/7M5fyc80q++BIfeSjWnM.
Are you sure you want to continue connecting (yes/no)? The authenticity of host '3x.xx.xx.xx (3x.xx.xx.xx)' can't be established.
ECDSA key fingerprint is SHA256:4hzIAJxw75ppZFYZTp3LYQvB/Zls1SSp321t30w5iM0.
Are you sure you want to continue connecting (yes/no)? yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no': yes
Please type 'yes' or 'no':

[bizmate]

Same for me, I will try to add ansible_ssh_common_args='-o StrictHostKeyChecking=no'

[kowalskey]

Hello, I just stumbled upon this issue.

I think that StrictHostKeyChecking can be insecure in some environments.
It's possible (at least it worked for me) to work around multiple Are you sure... prompts by calling ansible with --forks 1

Of course you will need to pass --forks 1 only first time when connecting to hosts without SSH keys

(Side note: IIRC I read somewhere in ansible docs that if at least one host does not have SSH key in ~/.ssh/known_hosts or equivalent, then the ansible will serialize tasks and act like forks are indeed reduced to 1. So maybe there is issue with that serialization, or forks = XX in ansible.cfg conflicts with that heuristic ? Just a thought 🤔 )

[ktaragorn]

--forks 1 solution/workaround works beautifully without compromising security.

[shitalp]

Where to add that --forks 1 in ansible

[tstuber]

Where to add that --forks 1 in ansible

For a one time execution, you can add the parameter during the playbook execution (ansible-playbook <your playbook> --fork 1).
You can also set the fork in the ansible config or as environment variable (see here)

[CodeitchNY]

Curious as to what the status of this is. Obviously open but still hyper annoying to keep one prompts output from clobbering the second prompts output and only getting the "last" host in the list. Also, it is clearly reachable, a more clear error message on the rejection would be helpful. refused or rejected would be clearer.

--forks 1 does resolve the issue but....

so does CRTL-C and do again and the playbook will run (add one, then the other) which I do more often cause I forget --forks 1 all the time.

TASK [Gathering Facts] ****************************************************************************************************************
task path: /home/me/whatever/test_config.yml:2
The authenticity of host 'xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)' can't be established.
ECDSA key fingerprint is SHA256:HJFDHSKHKf78ds3hk2rd.
Are you sure you want to continue connecting (yes/no)? The authenticity of host 'yyy.xxx.xxx.yyy (yyy.xxx.xxx.yyy)' can't be established.
ECDSA key fingerprint is SHA256:fbdkshfkdJHKJHKhkr3223.
Are you sure you want to continue connecting (yes/no)? yes
ok: [db_server]

fatal: [web_server]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Host key verification failed.", "unreachable": true}
META: ran handlers```

[james-voong]

Encountered this issue today.

The workaround I used was to run it with only one host, accept the key, cancel the run, then repeat for each host. Once all the keys are added I can run with all hosts at once.

[konstruktoid]

If you're blindly accept keys, the following might work for you. It's from a test setup with a bastion host (https://github.com/konstruktoid/publications/blob/master/bastion/README.md#automatically-accepting-ssh-host-keys) so you'll have to modify it of course.

- hosts: bastion
  serial: 1
  any_errors_fatal: true
  tasks:
    - name: ssh keyscan bastion hosts from localhost
      delegate_to: localhost
      lineinfile:
        dest: ~/.ssh/known_hosts
        create: 'yes'
        state: present
        mode: '0600'
        line: "{{ lookup('pipe', 'ssh-keyscan -H' + ' ' + hostvars[item]['ansible_host']) }}"
      with_items:
        - "{{ groups['bastion'] }}"

    - name: ssh keyscan internal hosts from localhost
      delegate_to: localhost
      lineinfile:
        dest: ~/.ssh/known_hosts
        create: 'yes'
        state: present
        mode: '0600'
        line: "{{ lookup('pipe', 'ssh-keyscan -H' + ' ' + hostvars[item]['ansible_host']) }}"
      ignore_errors: true
      with_items:
        - "{{ groups['internal']|reverse|list }} "

    - name: ssh keyscan internal hosts from bastion01
      delegate_to: bastion01
      lineinfile:
        dest: ~/.ssh/known_hosts
        create: 'yes'
        state: present
        mode: '0600'
        line: "{{ lookup('pipe', 'ssh-keyscan -H' + ' ' + hostvars[item]['ansible_host']) }}"
      ignore_errors: true
      with_items:
        - "{{ groups['internal']|reverse|list }} "