You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
User on OpenBSD reported that paramiko does not persist, and in fact can remove, a key of the above type from known hosts. root problem appears to be in paramiko not understanding this key type. (Not yet reproduced, also note default on OpenBSD is now openssh, not paramiko, but paramiko can be selected)
impact: Starting in Ansible 1.2.2, Ansible defaults to the "smart" connection type and will only use paramiko if it does not support ControlPersist or is explicitly selected, so this should not affect many users. However, it's definitely not a good thing that paramiko would discard them from the file for "non-common key types". More reason for moving away from paramiko as a default.
However, Ansible should add a safeguard to detect the number of changes to known hosts to guard against this -- namely, if the file does not grow by exactly 1 line and change no other lines, it's not reasonable to rewrite the file, as paramiko may have the above bug. In this event it should raise a warning.
The text was updated successfully, but these errors were encountered:
Actually this hit me only recently. It was quite an ordeal to pinpoint it to this issue. How can I debug why my ansible (installed through macports) is not using SSH by default?
User on OpenBSD reported that paramiko does not persist, and in fact can remove, a key of the above type from known hosts. root problem appears to be in paramiko not understanding this key type. (Not yet reproduced, also note default on OpenBSD is now openssh, not paramiko, but paramiko can be selected)
See comment on paramiko/paramiko#67
impact: Starting in Ansible 1.2.2, Ansible defaults to the "smart" connection type and will only use paramiko if it does not support ControlPersist or is explicitly selected, so this should not affect many users. However, it's definitely not a good thing that paramiko would discard them from the file for "non-common key types". More reason for moving away from paramiko as a default.
However, Ansible should add a safeguard to detect the number of changes to known hosts to guard against this -- namely, if the file does not grow by exactly 1 line and change no other lines, it's not reasonable to rewrite the file, as paramiko may have the above bug. In this event it should raise a warning.
The text was updated successfully, but these errors were encountered: