ansible_ssh_args is leveragable here to pass additional arguments correct? Also this is configurable in ansible.cfg.
On Sat, Jun 7, 2014 at 11:34 AM, Brent Langston <[email protected]> wrote: > I see your logic, but I think this world break a use case I have in my > environment where a bot layers on the appropriate key depending on what it > is doing. > > There is the config key for initiating a config run, the provisioning key > for each environment, the deploy key for each environment, and the security > group key for each region. > > Config key is always in the agent, but the others are loaded as needed. > > The examples you mentioned seem more like something I would be doing > occasionally, or one off. For that situation, it would be just as easy to > drop keys from my agent to test a new key is working before removing the > old. > On Jun 7, 2014 1:08 AM, "Jesse Keating" <[email protected]> wrote: > >> With ansible, one can define ansible_ssh_private_key=/some/key per-host, >> to define which private key will be sent along for which hosts. This is >> pretty useful, but I think it's missing the next bit of usefulness, using >> that private key /exclusively/. As it stands, when you define >> ansible_ssh_private_key, the Ansible code will add -o >> IdentityFile=/some/key to the SSH arguments. This directs SSH to /include/ >> this key along with the rest of the keys it may get from ssh-agent when >> attempting to make the connection. In order to use the defined key >> exclusively, an extra option needs to be passed along, -o >> IdentitiesOnly=yes . This will direct SSH to /only/ attempt using the >> provided private key. >> >> This functionality would be useful in key rotation, making sure the new >> key works before removing any old keys from authorized_keys. It also has >> security impact, making sure the remote side is responding to the specific >> key we're providing, indicating it has the public part of this particular >> key and not some other key that's letting ssh in. >> >> The code to add this doesn't look too bad, albeit spread across a few >> connection plugins and one module. I'm willing to put the work in if this >> is seen as as a useful and acceptable change in behavior. Note that at this >> time I'm not asking for an additional Ansible config entry or argument to >> toggle this feature, what I"m asking for is a behavior change to go along >> with the already existing config of ansible_ssh_private_key. >> >> -jlk >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/85C084BE-9C91-42AF-A2BD-6370132A41EF%40j2solutions.net >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
