SSH is NOT hard to manage. You need a well defined management practice. We have a service account on our machines with populated SSH public key. We tightly control access to the private key.
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Mar 25, 2023, at 3:49 PM, Nico Kadel-Garcia <[email protected]> wrote: On Sat, Mar 25, 2023 at 2:24 AM 'Neil Young' via Ansible Project <[email protected]> wrote: Sounds legit and works. But isn't "StrictHostKeyChecking=no" dangerous? (To not start a religious war here :)) There is an increased risk. The risk of needing to clean up from reset host keys is also a significant one, and tuning and picking which keys are and are without that filter is a burden. Tools like ansible can, in theory, provide just such tuning on a server-by-server and SSH-service by SSH-service basis. But I've several times encountered git server setups where the admin copied over the Host's private keys, but not the exposed git related SSH service's keys because he *did not understand the distinction*, and it's seriously screwed up working setups both for the Ansible server and the clients. Manually insertinig the options into all the SSH commands eliminates those checks on a case-by-case basis, but frankly, I have a day job, not the time to go implant the workaround into every developer's SSH command line settings. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAOCN9ryTGixQioeW2%252Badz2vKfzHJoVCnvDgZRZKyEzGJ4j%253DMyw%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7C1264b2416c574c97927d08db2d6a076f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638153705643785382%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EOumR4tipuYsITEDjq8p3KCCzOjdrhpfYSZpL7t1x2Y%3D&reserved=0. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/EB3345E0-E8F1-450D-9FDF-3AA49941D6F1%40nist.gov.
