With ansible, one can define ansible_ssh_private_key=/some/key per-host, to define which private key will be sent along for which hosts. This is pretty useful, but I think it's missing the next bit of usefulness, using that private key /exclusively/. As it stands, when you define ansible_ssh_private_key, the Ansible code will add -o IdentityFile=/some/key to the SSH arguments. This directs SSH to /include/ this key along with the rest of the keys it may get from ssh-agent when attempting to make the connection. In order to use the defined key exclusively, an extra option needs to be passed along, -o IdentitiesOnly=yes . This will direct SSH to /only/ attempt using the provided private key.
This functionality would be useful in key rotation, making sure the new key works before removing any old keys from authorized_keys. It also has security impact, making sure the remote side is responding to the specific key we're providing, indicating it has the public part of this particular key and not some other key that's letting ssh in. The code to add this doesn't look too bad, albeit spread across a few connection plugins and one module. I'm willing to put the work in if this is seen as as a useful and acceptable change in behavior. Note that at this time I'm not asking for an additional Ansible config entry or argument to toggle this feature, what I"m asking for is a behavior change to go along with the already existing config of ansible_ssh_private_key. -jlk -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/85C084BE-9C91-42AF-A2BD-6370132A41EF%40j2solutions.net. For more options, visit https://groups.google.com/d/optout.
