Collect SSH Keys with Ansible

Here’s a common scenario I’m encountering on Ansible-related forums:

Q: I cannot connect to network devices with my Ansible network modules. I keep getting these weird error messages…

Me: Are you sure you have the device SSH keys in known_hosts file?

Q: How did you know?

Me: Been there, done that…

I’m describing the challenge and the potential solutions in more details in the Ansible Networking Modules part of Ansible for Networking Engineers webinar and online course.

In my case, the situation got really annoying because I’m using Cisco IOS devices running in VIRL to test my Ansible scripts, and there’s absolutely no way to retain the router SSH keys across device or VIRL reloads.

Finally, I found an Ansible playbook that used ssh-keyscan to collect SSH keys. It was easy to adapt it to collect keys from managed devices and store them in known_hosts file on your Ansible host.

In case you’re wondering how that playbook works, I described it in details in the Sample Ansible Playbooks section of Ansible for Networking Engineers online course.

4 comments:

  1. For environments like testing in VIRL it seems significantly easier to just selectively disable host key checking via passing an extra var of host_key_checking=False when running the playbook.
    Replies
    1. If you develop your playbooks on VIRL (because IOS, for example), then "selectively" means "always". Yes, I could disable host key checking in ansible.cfg (passing it via extra vars just sucks), but I prefer to do things the right way. YMMV
  2. This probably won't work on legacy network hardware but if you are on Cumulus or other Linux based software environments, SSH host key signing might be an easier/better way than simply disabling host key checking.

    This is an slight outdated but still valid example on Ubuntu:
    https://www.digitalocean.com/community/tutorials/how-to-create-an-ssh-ca-to-validate-hosts-and-clients-with-ubuntu

    Getting your host keys signed and put in the right place is only a matter of a few steps in Ansible :-)
  3. Funny, I wrote an Ansible play for that a few weeks ago :)
Add comment
Sidebar