search

ansistrano / deploy

Ansible role to deploy scripting applications like PHP, Python, Ruby, etc. in a capistrano style
https://ansistrano.com
MIT License
2.37k stars 343 forks source link

git accept_hostkey usage #266

Closed ice-8 closed 6 years ago

ice-8 commented 6 years ago

hi.

in the tasks/update-code/git.yml used ansible module git with optinon

accept_hostkey: true

and as you can get in docs - http://docs.ansible.com/ansible/latest/git_module.html you should set 

ssh_opts: "-o StrictHostKeyChecking=no"

also in this case. Could you please add this option in tasks/update-code/git.yml?

Otherwise in some cases you can get an error with git host ssh key.

For instance, i got in case when accepted host ssh key was rsa (which looks took by ssh-keyscan from option accept_hostkey: true), but key got by git clone was ecdsa-sha2-nistp256, and role failed with error 

fatal: [DEPLOYEDHOST]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote origin -h refs/heads/master", "failed": true, "msg": "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@       WARNING:********@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ECDSA key sent by the remote host is\nSHA256:JietJP5MN2iP0b54sroueDE5vNFpUA9z1mhhHukuv5g.\r\nPlease contact your system administrator.\r\nAdd correct host key in /root/.ssh/known_hosts to get rid of this message.\r\nOffending RSA key in /root/.ssh/known_hosts:1\r\n  remove with:\r\n  ssh-keygen -f \"/root/.ssh/known_hosts\" -R GITLABHOST\r\nECDSA host key for GITLABHOST has changed and you have requested strict checking.\r\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nThe ECDSA host key for GITLABHOST has changed,\r\nand the key for the corresponding IP address IPADDRESS\r\nis unknown. This could either mean that\r\nDNS SPOOFING is happening or the IP address for the host\r\nand its host key have changed at the same time.\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ECDSA key sent by the remote host is\nSHA256:JietJP5MN2iP0b54sroueDE5vNFpUA9z1mhhHukuv5g.\r\nPlease contact your system administrator.\r\nAdd correct host key in /root/.ssh/known_hosts to get rid of this message.\r\nOffending RSA key in /root/.ssh/known_hosts:1\r\n  remove with:\r\n  ssh-keygen -f \"/root/.ssh/known_hosts\" -R GITLABHOST\r\nECDSA host key for GITLABHOST has changed and you have requested strict checking.\r\nHost key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []}

which have been resolved by add 

ssh_opts: "-o StrictHostKeyChecking=no"

to task for git

thank you

ice-8 commented 6 years ago

and here is a diff:

diff --git a/tasks/update-code/git.yml b/tasks/update-code/git.yml
index 55c0fb1..21988a7 100644
--- a/tasks/update-code/git.yml
+++ b/tasks/update-code/git.yml
@@ -20,6 +20,7 @@
     dest: "{{ ansistrano_deploy_to }}/repo"
     version: "{{ ansistrano_git_branch }}"
     accept_hostkey: true
+    ssh_opts: "-o StrictHostKeyChecking=no"
     update: yes
     force: yes
     refspec: "{{ ansistrano_git_refspec | default(omit) }}"
@@ -32,6 +33,7 @@
     dest: "{{ ansistrano_deploy_to }}/repo"
     version: "{{ ansistrano_git_branch }}"
     accept_hostkey: true
+    ssh_opts: "-o StrictHostKeyChecking=no"
     update: yes
     force: yes
     refspec: "{{ ansistrano_git_refspec | default(omit) }}"
ricardclau commented 6 years ago

Cool, will add this variable as optional

It will be empty (and omitted) by default as making this a default would break security but you will be able to supply such options if you decide to ignore man in the middle warnings

ricardclau commented 6 years ago

Solved in #271