Tested an ansible setup from my server (ssh-agent) w/o having github key in known_hosts _and_ the "default" (empty) ssh config. Doesn't work. I had to add github's key on the host in order to make this work again. Not storing github *and* having the mentioned config let me do the setup, so I conclude, that now anybody could mock to be github to make me ssh connect to him. I would say this is a bit more scary as to have to replace an official github key once in a lifetime.
Neil Young schrieb am Samstag, 25. März 2023 um 07:24:32 UTC+1: > Sounds legit and works. But isn't "StrictHostKeyChecking=no" dangerous? > (To not start a religious war here :)) > > Nico Kadel-Garcia schrieb am Freitag, 24. März 2023 um 23:44:06 UTC+1: > >> On Fri, Mar 24, 2023 at 8:37 AM 'Neil Young' via Ansible Project >> <[email protected]> wrote: >> > >> > OK, maybe a solution (workaround?) >> > >> > I got another error message later, which clarified the failing command: >> > >> > FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote >> [email protected]:xxxxxxxxxxx.git -h refs/heads/HEAD", " >> > >> > So I ssh'ed to the machine and issued exactly this command: >> > >> > The response lead me to an offending, but not obvious "known_host" >> entry (which obviously described "github.com"), maybe left by >> "ssh-agent" (hmm, didn't know that. Shouldn't be left there I guess). >> > >> > Warning: the ECDSA host key for 'github.com' differs from the key for >> the IP address '140.82.121.3' >> > >> > Offending key for IP in /home/ubuntu/.ssh/known_hosts:2 >> >> And *this* is why relying on known_hosts has caused more failures of >> working software than prevention of faked host access since SSH was >> originally written. >> >> The typical entry to disable it in ~/.ssh/config is: >> >> Host * >> UserKnownHostsFile /dev/null >> StrictHostKeyChecking no >> LogLevel error >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bbf5a9e6-b54d-445f-9ada-c7d64f0bbca2n%40googlegroups.com.
