If there is value in this change of behavior, then cool. I have some other work-arounds in mind that shouldn't be a big deal.
-------- Brent -------- On Mon, Jun 9, 2014 at 12:53 PM, Michael DeHaan <[email protected]> wrote: > Per IRC, I'm open to that being a thing. > > > > > On Mon, Jun 9, 2014 at 1:04 PM, Jesse Keating <[email protected]> > wrote: > >> ansible_ssh_args does not appear to be a config value used by Ansible. >> >> [ssh_connection] >> ssh_args >> >> that is read, and looking at the source, it appears the environment >> ANSIBLE_SSH_ARGS is read by the ssh connection plugin. >> >> I'll try to play around and see if I can get that manipulated /in the >> middle/ of a playbook, but it looks fairly awkward to accomplish. This is a >> setting we'd want to set after the initial few connections. >> >> -jlk >> >> >> On Mon, Jun 9, 2014 at 7:44 AM, Michael DeHaan <[email protected]> >> wrote: >> >>> ansible_ssh_args is leveragable here to pass additional arguments >>> correct? >>> >>> Also this is configurable in ansible.cfg. >>> >>> >>> >>> >>> On Sat, Jun 7, 2014 at 11:34 AM, Brent Langston <[email protected]> >>> wrote: >>> >>>> I see your logic, but I think this world break a use case I have in my >>>> environment where a bot layers on the appropriate key depending on what it >>>> is doing. >>>> >>>> There is the config key for initiating a config run, the provisioning >>>> key for each environment, the deploy key for each environment, and the >>>> security group key for each region. >>>> >>>> Config key is always in the agent, but the others are loaded as needed. >>>> >>>> The examples you mentioned seem more like something I would be doing >>>> occasionally, or one off. For that situation, it would be just as easy to >>>> drop keys from my agent to test a new key is working before removing the >>>> old. >>>> On Jun 7, 2014 1:08 AM, "Jesse Keating" <[email protected]> >>>> wrote: >>>> >>>>> With ansible, one can define ansible_ssh_private_key=/some/key >>>>> per-host, to define which private key will be sent along for which hosts. >>>>> This is pretty useful, but I think it's missing the next bit of >>>>> usefulness, >>>>> using that private key /exclusively/. As it stands, when you define >>>>> ansible_ssh_private_key, the Ansible code will add -o >>>>> IdentityFile=/some/key to the SSH arguments. This directs SSH to /include/ >>>>> this key along with the rest of the keys it may get from ssh-agent when >>>>> attempting to make the connection. In order to use the defined key >>>>> exclusively, an extra option needs to be passed along, -o >>>>> IdentitiesOnly=yes . This will direct SSH to /only/ attempt using the >>>>> provided private key. >>>>> >>>>> This functionality would be useful in key rotation, making sure the >>>>> new key works before removing any old keys from authorized_keys. It also >>>>> has security impact, making sure the remote side is responding to the >>>>> specific key we're providing, indicating it has the public part of this >>>>> particular key and not some other key that's letting ssh in. >>>>> >>>>> The code to add this doesn't look too bad, albeit spread across a few >>>>> connection plugins and one module. I'm willing to put the work in if this >>>>> is seen as as a useful and acceptable change in behavior. Note that at >>>>> this >>>>> time I'm not asking for an additional Ansible config entry or argument to >>>>> toggle this feature, what I"m asking for is a behavior change to go along >>>>> with the already existing config of ansible_ssh_private_key. >>>>> >>>>> -jlk >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/85C084BE-9C91-42AF-A2BD-6370132A41EF%40j2solutions.net >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com >>> <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzHoJAV-P5SdovEwUSG%3D73O9m_%3DKmr%2B5-MGLZsWKKSNBQ%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzHoJAV-P5SdovEwUSG%3D73O9m_%3DKmr%2B5-MGLZsWKKSNBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABta7G0htdbaoOcGUCxT%3DWtydi8_ha9CriygtNWE59Ed%2BKfrow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
