Add support for SSH Host Key Checking

By default it seems that SSH host key checking has been disabled. This patch makes it optional. If a variable named known_hosts is passed in, the key checking will be enabled. The variable should contain the complete contents of the known_hosts file, which must contain the public key(s) of the host(s) in the inventory.
2024-10-21 21:56:08 -06:00 · 2021-04-04 14:51:37 -04:00 · 2021-04-04 14:51:37 -04:00 · d45b74f42d
commit d45b74f42d
parent aad578fcdd
4 changed files with 32 additions and 2 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -65,11 +65,15 @@ jobs:
            Subsystem sftp /usr/lib/openssh/sftp-server
          EOF
          sudo systemctl restart sshd
+          echo 'SSH_KNOWN_HOSTS<<EOF' >> $GITHUB_ENV
+          echo $(ssh-keyscan localhost) >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
      - name: With everything
        uses: ./
        with:
          playbook: playbook.yml
          key: ${{env.SSH_PRIVATE_KEY}}
+          known_hosts: ${{env.SSH_KNOWN_HOSTS}}
          directory: test
          vault_password: test
          requirements: requirements.yml
--- a/action.yml
+++ b/action.yml
@ -22,6 +22,9 @@ inputs:
  vault_password:
    description: The password used for decrypting vaulted files
    required: false
+  known_hosts:
+    description: Contents of SSH known_hosts file
+    required: false
  options:
    description: Extra options that should be passed to ansible-playbook command
    required: false
--- a/main.js
+++ b/main.js
@ -12,6 +12,7 @@ async function main() {
        const key = core.getInput("key")
        const inventory = core.getInput("inventory")
        const vaultPassword = core.getInput("vault_password")
+        const knownHosts = core.getInput("known_hosts")
        const options = core.getInput("options")

        let cmd = ["ansible-playbook", playbook]
@ -63,10 +64,27 @@ async function main() {
            cmd.push(vaultPasswordFile)
        }

-        process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        if (knownHosts) {
+            const knownHostsFile = ".ansible_known_hosts"
+            fs.writeFileSync(knownHostsFile, knownHosts, { mode: 0600 })
+            core.saveState("knownHostsFile", knownHostsFile)
+            let known_hosts_param = [
+                "--ssh-common-args=",
+                "\"",
+                "-o UserKnownHostsFile=",
+                knownHostsFile,
+                "\""
+            ].join('')
+            cmd.push(known_hosts_param)
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "True"
+        } else {
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        }
+
        process.env.ANSIBLE_FORCE_COLOR = "True"

-        await exec.exec(cmd.join(" "))
+        await exec.exec(cmd.join(' '))
+
    } catch (error) {
        core.setFailed(error.message)
    }
--- a/post.js
+++ b/post.js
@ -14,6 +14,7 @@ async function main() {
        const keyFile = core.getState("keyFile")
        const inventoryFile = core.getState("inventoryFile")
        const vaultPasswordFile = core.getState("vaultPasswordFile")
+        const knownHostsFile = core.getState("knownHostsFile")

        if (directory)
            process.chdir(directory)
@ -26,6 +27,10 @@ async function main() {

        if (vaultPasswordFile)
            rm(vaultPasswordFile)
+
+        if (knownHostsFile)
+            rm(knownHostsFile)
+
    } catch (error) {
        core.setFailed(error.message)
    }