workaround for paramiko issue with ecdsa-sha2-nistp256 key

[mpdehaan]

User on OpenBSD reported that paramiko does not persist, and in fact can remove, a key of the above type from known hosts. root problem appears to be in paramiko not understanding this key type. (Not yet reproduced, also note default on OpenBSD is now openssh, not paramiko, but paramiko can be selected)

See comment on paramiko/paramiko#67

impact: Starting in Ansible 1.2.2, Ansible defaults to the "smart" connection type and will only use paramiko if it does not support ControlPersist or is explicitly selected, so this should not affect many users. However, it's definitely not a good thing that paramiko would discard them from the file for "non-common key types". More reason for moving away from paramiko as a default.

However, Ansible should add a safeguard to detect the number of changes to known hosts to guard against this -- namely, if the file does not grow by exactly 1 line and change no other lines, it's not reasonable to rewrite the file, as paramiko may have the above bug. In this event it should raise a warning.

[mpdehaan]

I haven't heard any reports of this recently so I am going to close this issue.

Most people should be using -c ssh now and paramiko is around for EL6, which does not default to this keytype.

[hansbogert]

Actually this hit me only recently. It was quite an ordeal to pinpoint it to this issue. How can I debug why my ansible (installed through macports) is not using SSH by default?