search

ansibleguy / webui

Basic WebUI for using Ansible
https://webui.ansibleguy.net
GNU General Public License v3.0
94 stars 7 forks source link

Problem: StrictHostKeyChecking should be "accept-new" instead of "no" #60

Closed mathieumd closed 1 month ago

mathieumd commented 1 month ago

Versions

0.0.23.post3

Scope

Ansible (Job Execution)

Issue

ssh looks like it's hardcoded with -o StrictHostKeyChecking=no.

I think it should rather be -o StrictHostKeyChecking=accept-new, in order to be notified if/when it'll try to connect to a suddenly unknown machine.

ansibleguy commented 1 month ago

Greetings.

Interesting. For security reasons it should default to yes in my opinion. This project is (currently) not overriding this setting. Maybe it's configured in the git/ansible-runner module?

guy@cli:~/code/ansible-webui$ grep -Er 'StrictHostKeyChecking|HOST_KEY_CHECKING'

docs/source/usage/troubleshooting.rst:* As this security feature is important you **SHOULD NOT DISABLE IT IN PRODUCTION** by adding the environmental variable `ANSIBLE_HOST_KEY_CHECKING=False` to your jobs!
venv/lib/python3.10/site-packages/ansible/modules/git.py:            - Will ensure or not that "-o StrictHostKeyChecking=no" is present as an ssh option.
venv/lib/python3.10/site-packages/ansible/modules/git.py:            - Those using OpenSSH >= 7.5 might want to set O(ssh_opts) to V(StrictHostKeyChecking=accept-new)
venv/lib/python3.10/site-packages/ansible/modules/git.py:            - As of OpenSSH 7.5, "-o StrictHostKeyChecking=accept-new" can be
venv/lib/python3.10/site-packages/ansible/modules/git.py:              "-o StrictHostKeyChecking=accept-new" is present as an ssh option.
venv/lib/python3.10/site-packages/ansible/modules/git.py:            - An example value could be "-o StrictHostKeyChecking=no" (although this particular
venv/lib/python3.10/site-packages/ansible/modules/git.py:    accept_key = "StrictHostKeyChecking=no"
venv/lib/python3.10/site-packages/ansible/modules/git.py:    cmd = [ssh_path, '-o', 'StrictHostKeyChecking=accept-new', '-V']
venv/lib/python3.10/site-packages/ansible/modules/git.py:            if ("-o StrictHostKeyChecking=no" not in ssh_opts) and ("-o StrictHostKeyChecking=accept-new" not in ssh_opts):
venv/lib/python3.10/site-packages/ansible/modules/git.py:                ssh_opts += " -o StrictHostKeyChecking=no"
venv/lib/python3.10/site-packages/ansible/modules/git.py:            ssh_opts = "-o StrictHostKeyChecking=no"
venv/lib/python3.10/site-packages/ansible/modules/git.py:                if ("-o StrictHostKeyChecking=no" not in ssh_opts) and ("-o StrictHostKeyChecking=accept-new" not in ssh_opts):
venv/lib/python3.10/site-packages/ansible/modules/git.py:                    ssh_opts += " -o StrictHostKeyChecking=accept-new"
venv/lib/python3.10/site-packages/ansible/modules/git.py:                ssh_opts = "-o StrictHostKeyChecking=accept-new"
venv/lib/python3.10/site-packages/ansible/config/base.yml:HOST_KEY_CHECKING:
venv/lib/python3.10/site-packages/ansible/config/base.yml:  env: [{name: ANSIBLE_HOST_KEY_CHECKING}]
venv/lib/python3.10/site-packages/ansible/plugins/connection/paramiko_ssh.py:          - name: ANSIBLE_HOST_KEY_CHECKING
venv/lib/python3.10/site-packages/ansible/plugins/connection/paramiko_ssh.py:          - name: ANSIBLE_SSH_HOST_KEY_CHECKING
venv/lib/python3.10/site-packages/ansible/plugins/connection/paramiko_ssh.py:          - name: ANSIBLE_PARAMIKO_HOST_KEY_CHECKING
venv/lib/python3.10/site-packages/ansible/plugins/connection/ssh.py:              - name: ANSIBLE_HOST_KEY_CHECKING
venv/lib/python3.10/site-packages/ansible/plugins/connection/ssh.py:              - name: ANSIBLE_SSH_HOST_KEY_CHECKING
venv/lib/python3.10/site-packages/ansible/plugins/connection/ssh.py:            b_args = (b"-o", b"StrictHostKeyChecking=no")
venv/lib/python3.10/site-packages/ansible/plugins/connection/ssh.py:            self._add_args(b_command, b_args, u"ANSIBLE_HOST_KEY_CHECKING/host_key_checking disabled")
venv/lib/python3.10/site-packages/ansible_test/_internal/ssh.py:        StrictHostKeyChecking='no',
venv/lib/python3.10/site-packages/ansible_test/_internal/ansible_util.py:        ANSIBLE_HOST_KEY_CHECKING='false',
venv/lib/python3.10/site-packages/ansible_test/_internal/connections.py:            StrictHostKeyChecking='no',
venv/lib/python3.10/site-packages/pexpect/pxssh.py:                            "StrictHostKeyChecking": "no",
venv/lib/python3.10/site-packages/pexpect/pxssh.py:#                + " -o 'StrictHostKeyChecking=no'"
venv/lib/python3.10/site-packages/pexpect/pxssh.py:        # ssh.otions = dict(StrictHostKeyChecking="no",UserKnownHostsFile="/dev/null")
venv/lib/python3.10/site-packages/ansible_runner/config/_base.py:        if 'ANSIBLE_HOST_KEY_CHECKING' not in self.env:
venv/lib/python3.10/site-packages/ansible_runner/config/_base.py:            self.env['ANSIBLE_HOST_KEY_CHECKING'] = 'False'

Related: https://webui.ansibleguy.net/en/latest/usage/troubleshooting.html#ssh-hostkey-verification

mathieumd commented 1 month ago

I fully agree that it should be yes by default. I just though that accept-new is a good compromise, without needing to change too much things in your (very nice) application. :-)

ansibleguy commented 1 month ago

Wow. It seems ansible-runner is setting it to false/no by default: https://github.com/ansible/ansible-runner/blob/devel/src/ansible_runner/config/_base.py#L325

Thank you for the report! 👍🏼