From bf29458726496ee759f515cefe9e91fc26a533bd Mon Sep 17 00:00:00 2001 From: Brian Coca Date: Wed, 25 Oct 2023 12:02:29 -0400 Subject: [PATCH] Address nuance in key checking docs (#82058) * Address nuance in key checking docs and add note to ssh plugin to let users know 'final authoritative source'. * Update lib/ansible/plugins/connection/ssh.py Co-authored-by: Abhijeet Kasurde --- lib/ansible/config/base.yml | 8 +++++--- lib/ansible/plugins/connection/ssh.py | 4 +++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index 057f66430cc..7929bafce9f 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -1499,11 +1499,13 @@ GALAXY_REQUIRED_VALID_SIGNATURE_COUNT: - This should be a positive integer or all to indicate all signatures must successfully validate the collection. - Prepend + to the value to fail if no valid signatures are found for the collection. HOST_KEY_CHECKING: - # note: constant not in use by ssh plugin anymore + # NOTE: constant not in use by ssh/paramiko plugins anymore, but they do support the same configuration sources # TODO: check non ssh connection plugins for use/migration - name: Check host keys + name: Toggle host/key check default: True - description: 'Set this to "False" if you want to avoid host key checking by the underlying tools Ansible uses to connect to the host' + description: + - Set this to "False" if you want to avoid host key checking by the underlying connection plugin Ansible uses to connect to the host. + - Please read the documentation of the specific connection plugin used for details. env: [{name: ANSIBLE_HOST_KEY_CHECKING}] ini: - {key: host_key_checking, section: defaults} diff --git a/lib/ansible/plugins/connection/ssh.py b/lib/ansible/plugins/connection/ssh.py index dc8ffbff142..9754397efa9 100644 --- a/lib/ansible/plugins/connection/ssh.py +++ b/lib/ansible/plugins/connection/ssh.py @@ -19,6 +19,8 @@ DOCUMENTATION = ''' - connection_pipelining version_added: historical notes: + - This plugin is mostly a wrapper to the ``ssh`` CLI utility and the exact behavior of the options depends on this tool. + This means that the documentation provided here is subject to be overridden by the CLI tool itself. - Many options default to V(None) here but that only means we do not override the SSH tool's defaults and/or configuration. For example, if you specify the port in this plugin it will override any C(Port) entry in your C(.ssh/config). - The ssh CLI tool uses return code 255 as a 'connection error', this can conflict with commands/tools that @@ -35,7 +37,7 @@ DOCUMENTATION = ''' - name: delegated_vars['ansible_host'] - name: delegated_vars['ansible_ssh_host'] host_key_checking: - description: Determines if SSH should check host keys. + description: Determines if SSH should reject or not a connection after checking host keys. default: True type: boolean ini: