SSH is NOT hard to manage. You need a well defined management practice. We have a service account on our machines with populated SSH public key. We tightly control access to the private key.
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Mar 25, 2023, at 3:49 PM, Nico Kadel-Garcia <nka...@gmail.com> wrote: On Sat, Mar 25, 2023 at 2:24 AM 'Neil Young' via Ansible Project <ansible-project@googlegroups.com> wrote: Sounds legit and works. But isn't "StrictHostKeyChecking=no" dangerous? (To not start a religious war here :)) There is an increased risk. The risk of needing to clean up from reset host keys is also a significant one, and tuning and picking which keys are and are without that filter is a burden. Tools like ansible can, in theory, provide just such tuning on a server-by-server and SSH-service by SSH-service basis. But I've several times encountered git server setups where the admin copied over the Host's private keys, but not the exposed git related SSH service's keys because he *did not understand the distinction*, and it's seriously screwed up working setups both for the Ansible server and the clients. Manually insertinig the options into all the SSH commands eliminates those checks on a case-by-case basis, but frankly, I have a day job, not the time to go implant the workaround into every developer's SSH command line settings. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCAOCN9ryTGixQioeW2%252Badz2vKfzHJoVCnvDgZRZKyEzGJ4j%253DMyw%2540mail.gmail.com&data=05%7C01%7Cwalter.rowe%40nist.gov%7C1264b2416c574c97927d08db2d6a076f%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638153705643785382%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EOumR4tipuYsITEDjq8p3KCCzOjdrhpfYSZpL7t1x2Y%3D&reserved=0. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/EB3345E0-E8F1-450D-9FDF-3AA49941D6F1%40nist.gov.
