Comments (12)
At SF puppetizelive - @torrancew mentioned that he's running into this problem when there's an EC-DSA key that overlaps with an existing (erroneous) RSA key - net::ssh prefers the RSA key (even when configured not to), which causes the known_hosts mismatch error. there is an upstream bug open on this - net-ssh/net-ssh#627 but it's not getting much traction. either helping them fix it upstream or working around it in bolt would help a lot! 🥇
from bolt.
That would be great to defer to ssh-config (or ~/.ssh/config) settings used by the underlying OpenSSH tool. I hope we can have more exposure in the inventory settings, and separate out a inventory name vs. actual hostname or IP address. This way I can meta generate per environment (local dev vagrant vs. google cloud vs. aws vs. ... ) on the fly, and not have to aggregate out explicit IP address or hostnames: when I have, prod-web-01 vs stage-web-01 vs. web-01.dev, but want to configure web-01 per environment.
from bolt.
Was this ever fixed in bolt? I'm getting the same error when I try to run a task on some of our CentOS nodes.
Failed on host.example.com:
Host key verification failed for host.example.com: fingerprint 9c:e6:8c:c8:13:01:9a:42:c9:73:49:7f:48:bd:1e:7a is unknown for "host.example.com,192.168.0.5"
Adding --no-host-key-check to the bolt command works but should not be necessary.
from bolt.
Cannot discern this from the debug output, whether ignoring Port
, StrictHostKeyChecking
, or other setting. In my setup, I also configured to use private IP addresses, and can use this as an alternative to get into the system, I would try --nodes 127.0.0.1 --port 2222
, but there's no support for a port option.
bolt command run 'hostname' \
--nodes 172.16.0.30 \
--user vagrant \
--private-key .vagrant/machines/tools.dev/virtualbox/private_key
from bolt.
Bolt has it's own options for host key checking since net::ssh does not support that from ssh config.
Set --no-host-key-check
on the cli or host-key-check: false
in config or inventory.
from bolt.
You can also pass a port as part of --nodes
, such as --nodes 127.0.0.1:2222
.
from bolt.
But it is ignoring this setting from the SSH configuration? If SSH is configured this way, why would we have to specify it again?
from bolt.
Fair enough, It's a shortcoming of the underlying library we use but there is no reason we can't add it.
from bolt.
@blackknight36 Are you asking if picking up StrictHostKeyChecking
from OpenSSH config files is supported? This is not currently available in the underlying net-ssh gem (https://net-ssh.github.io/net-ssh/classes/Net/SSH/Config.html ). We are working on documenting what OpenSSH options are configurable outside of bolt config ( https://tickets.puppetlabs.com/browse/BOLT-1227 ).
from bolt.
@donoghuc I do not have StrictHostKeyChecking enabled in my .ssh/config and the default setting is set to "ask" which works fine with the regular ssh command. Does net-ssh work with the /etc/ssh/known_hosts file? All of our host keys are exported by puppet and collected into this file any time the host key on a node changes.
from bolt.
Yes, net-ssh will respect known_hosts. I am not 100% if that location (/etc/ssh) is a default (for me its ~/.ssh/known_hosts). You can configure it with:
Host *example.com
UserKnownHostsFile=/etc/ssh/known_hosts
IdentityFile ~/.ssh/private_key
User foo
Also, are you on bolt version >= 1.15.0? https://puppet.com/docs/bolt/latest/bolt_resolved_issues.html#known-hosts-weren-t-parsed-correctly-1-15-0 could be an issue.
from bolt.
@donoghuc Thanks for the help. I'm still not sure why bolt is giving an ssh key error when I connect to a host that is already in my known_hosts file and my ssh-agent is working correctly. I'm not having any issues connecting to hosts through ssh outside of bolt either.
from bolt.
Related Issues (20)
- Applying Puppet plans fails on Debian 12 Bookworm targets HOT 5
- Allow user to use ssh key agent for ssh transport auth
- Provide MacOS puppet-bolt Homebrew cask installers with the arm64 architecture HOT 2
- Error behavior when bolt can't sudo without askpass in `--run-as root` mode is confusing
- release bolt version with latest facter HOT 1
- [FR] Ability to set `mode`/`group`[/`owner`] in `write_file()` and `upload_file()` functions
- "custom_facts.rb" fails to launch on some targets if Puppet has been installed on the target using the system package manager
- Can bolt resolve non-forge dependencies in the ``metadata.json``? HOT 1
- Ship bolt packages with updated built in module content
- Declare experimental features as stable
- json schema on forge return 404 HOT 8
- Debian 12 packages are missing
- Please provide Ubuntu 24.04 packages
- Please make the packaging/build pipelines public
- Provide Debian 11 aarch64 packages
- Provide documentation for bolt-server
- Add `file::delete()` function
- apply HOT 1
- unable to use _catch_errors for apply_prep function in puppet plan HOT 3
- Analytics collection is not feasible with some plan functions HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bolt.