If there is value in this change of behavior, then cool. I have some other work-arounds in mind that shouldn't be a big deal.
-------- Brent -------- On Mon, Jun 9, 2014 at 12:53 PM, Michael DeHaan <mich...@ansible.com> wrote: > Per IRC, I'm open to that being a thing. > > > > > On Mon, Jun 9, 2014 at 1:04 PM, Jesse Keating <jkeat...@j2solutions.net> > wrote: > >> ansible_ssh_args does not appear to be a config value used by Ansible. >> >> [ssh_connection] >> ssh_args >> >> that is read, and looking at the source, it appears the environment >> ANSIBLE_SSH_ARGS is read by the ssh connection plugin. >> >> I'll try to play around and see if I can get that manipulated /in the >> middle/ of a playbook, but it looks fairly awkward to accomplish. This is a >> setting we'd want to set after the initial few connections. >> >> -jlk >> >> >> On Mon, Jun 9, 2014 at 7:44 AM, Michael DeHaan <mich...@ansible.com> >> wrote: >> >>> ansible_ssh_args is leveragable here to pass additional arguments >>> correct? >>> >>> Also this is configurable in ansible.cfg. >>> >>> >>> >>> >>> On Sat, Jun 7, 2014 at 11:34 AM, Brent Langston <brent...@brentley.net> >>> wrote: >>> >>>> I see your logic, but I think this world break a use case I have in my >>>> environment where a bot layers on the appropriate key depending on what it >>>> is doing. >>>> >>>> There is the config key for initiating a config run, the provisioning >>>> key for each environment, the deploy key for each environment, and the >>>> security group key for each region. >>>> >>>> Config key is always in the agent, but the others are loaded as needed. >>>> >>>> The examples you mentioned seem more like something I would be doing >>>> occasionally, or one off. For that situation, it would be just as easy to >>>> drop keys from my agent to test a new key is working before removing the >>>> old. >>>> On Jun 7, 2014 1:08 AM, "Jesse Keating" <jkeat...@j2solutions.net> >>>> wrote: >>>> >>>>> With ansible, one can define ansible_ssh_private_key=/some/key >>>>> per-host, to define which private key will be sent along for which hosts. >>>>> This is pretty useful, but I think it's missing the next bit of >>>>> usefulness, >>>>> using that private key /exclusively/. As it stands, when you define >>>>> ansible_ssh_private_key, the Ansible code will add -o >>>>> IdentityFile=/some/key to the SSH arguments. This directs SSH to /include/ >>>>> this key along with the rest of the keys it may get from ssh-agent when >>>>> attempting to make the connection. In order to use the defined key >>>>> exclusively, an extra option needs to be passed along, -o >>>>> IdentitiesOnly=yes . This will direct SSH to /only/ attempt using the >>>>> provided private key. >>>>> >>>>> This functionality would be useful in key rotation, making sure the >>>>> new key works before removing any old keys from authorized_keys. It also >>>>> has security impact, making sure the remote side is responding to the >>>>> specific key we're providing, indicating it has the public part of this >>>>> particular key and not some other key that's letting ssh in. >>>>> >>>>> The code to add this doesn't look too bad, albeit spread across a few >>>>> connection plugins and one module. I'm willing to put the work in if this >>>>> is seen as as a useful and acceptable change in behavior. Note that at >>>>> this >>>>> time I'm not asking for an additional Ansible config entry or argument to >>>>> toggle this feature, what I"m asking for is a behavior change to go along >>>>> with the already existing config of ansible_ssh_private_key. >>>>> >>>>> -jlk >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to ansible-project+unsubscr...@googlegroups.com. >>>>> To post to this group, send email to ansible-project@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/85C084BE-9C91-42AF-A2BD-6370132A41EF%40j2solutions.net >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ansible-project+unsubscr...@googlegroups.com. >>>> To post to this group, send email to ansible-project@googlegroups.com. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/ansible-project/CABta7G1F8Wiv5%3DpkDxWR7L0ZggX4UNDZV4%3DPw2Eoq22j%2BF1k-g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ansible-project+unsubscr...@googlegroups.com. >>> To post to this group, send email to ansible-project@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com >>> <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgyjnajoLL9A-MoR6-P%3DZDUQvr7EWEWp1wpthv%2Byg0F_ig%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-project+unsubscr...@googlegroups.com. >> To post to this group, send email to ansible-project@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CALdYhVRUFW5BnFJJDaAM8uz9TVnvyL3_6OXxNJCJUsCaOu1Keg%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzHoJAV-P5SdovEwUSG%3D73O9m_%3DKmr%2B5-MGLZsWKKSNBQ%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CA%2BnsWgzHoJAV-P5SdovEwUSG%3D73O9m_%3DKmr%2B5-MGLZsWKKSNBQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABta7G0htdbaoOcGUCxT%3DWtydi8_ha9CriygtNWE59Ed%2BKfrow%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
