Open pikeas opened 2 years ago
Unfortunately this is an upstream problem with the SSH library used by pyinfra, Paramiko: https://github.com/paramiko/paramiko/issues/771
Leaving this open as it’s unresolved but relabelled as a dependency issue.
2024 update: still broken in Paramiko but not in the same way.
https://github.com/paramiko/paramiko/issues/2320
The bad news: Paramiko breaks differently. The good news: there's a two line patch in https://github.com/paramiko/paramiko/pull/2434 that fixes this.
https://github.com/paramiko/paramiko/issues/771
Paramiko now warns with an Incorrect padding
error, adds an entry for the host key, and also silently removes @cert-authority lines from ~/.ssh/known_hosts.
Anyone using PyInfra will likely have a very bad and confusing day if they're ever bitten by this - please add a warning to the docs.
It looks like it's actually PyInfra removing @cert-authority
, I've opened https://github.com/pyinfra-dev/pyinfra/issues/1209.
Describe the bug
Pyinfra prompts for SSH host key verification when the host presents a valid certificate trusted by the user.
To Reproduce
Expected behavior
Pyinfra should connect without prompting for host key verification.
Meta
Pyinfra v2.2 macOS-12.3.1-arm64-arm-64bit, Python 3.10.5