From ad89a66878853bfc8b258ec79c287fa05487d5f6 Mon Sep 17 00:00:00 2001 From: Pavel Raiskup Date: Mon, 29 Nov 2021 14:20:03 +0100 Subject: [PATCH] tasks/aws_cloud.yml: prefer ed25519 keys for now Seems like either the RHEL 8 (batcave) or Fedora 35 system (Fedora Copr Infra) prefers ed25519 keys over rsa, leading to weird auth problems: TASK [allow root ssh connections] *************************************************************************************************************************** Monday 29 November 2021 13:06:43 +0000 (0:00:00.314) 0:00:03.632 ******* Monday 29 November 2021 13:06:43 +0000 (0:00:00.314) 0:00:03.632 ******* fatal: [copr-be-dev.aws.fedoraproject.org]: UNREACHABLE! => {"changed": false, "msg": "Data could not be sent to remote host \"copr-be-dev.aws.fedoraproject.org\". Make sure this host can be reached over ssh: Certificate invalid: name is not a listed principal\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @\r\n@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\nIT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!\r\nSomeone could be eavesdropping on you right now (man-in-the-middle attack)!\r\nIt is also possible that a host key has just been changed.\r\nThe fingerprint for the ED25519 key sent by the remote host is\nSHA256:Cgs/aoJl9OJheAtZZ2CDiYx9ZeFMwD6dUYUJpPDTl58.\r\nPlease contact your system administrator.\r\nAdd correct host key in /root/.ssh/known_hosts to get rid of this message.\r\nOffending RSA key in /root/.ssh/known_hosts:21\r\nED25519 host key for copr-be-dev.aws.fedoraproject.org has changed and you have requested strict checking.\r\nHost key verification failed.\r\n", "unreachable": true} This lets us move forward with the tomorrow's update. The previous hack(s) were not OK. --- tasks/aws_cloud.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tasks/aws_cloud.yml b/tasks/aws_cloud.yml index c09ad9c690..9a22e93a21 100644 --- a/tasks/aws_cloud.yml +++ b/tasks/aws_cloud.yml @@ -14,16 +14,12 @@ local_action: known_hosts path={{item}} host={{ inventory_hostname }} state=absent - # HACK! We repeat this task 3 times. We assume that "known_hosts" module is - # broken, and it removes only the first host key available (not all of them). with_items: - /root/.ssh/known_hosts - - /root/.ssh/known_hosts - - /root/.ssh/known_hosts when: birthday is defined - name: gather the temporary ssh host key from the new instance - local_action: command ssh-keyscan -t rsa {{ inventory_hostname }} + local_action: command ssh-keyscan -t ed25519 {{ inventory_hostname }} register: hostkey when: birthday is defined