Add support for SSH Host Key Checking

By default it seems that SSH host key checking has been disabled. This patch makes it optional. If a variable named known_hosts is passed in, the key checking will be enabled. The variable should contain the complete contents of the known_hosts file, which must contain the public key(s) of the host(s) in the inventory.
dawidd6 · Apr 4, 2021 · d45b74f · d45b74f
1 parent aad578f
commit d45b74f
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -65,11 +65,15 @@ jobs:
             Subsystem sftp /usr/lib/openssh/sftp-server
           EOF
           sudo systemctl restart sshd
+          echo 'SSH_KNOWN_HOSTS<<EOF' >> $GITHUB_ENV
+          echo $(ssh-keyscan localhost) >> $GITHUB_ENV
+          echo 'EOF' >> $GITHUB_ENV
       - name: With everything
         uses: ./
         with:
           playbook: playbook.yml
           key: ${{env.SSH_PRIVATE_KEY}}
+          known_hosts: ${{env.SSH_KNOWN_HOSTS}}
           directory: test
           vault_password: test
           requirements: requirements.yml

diff --git a/action.yml b/action.yml
@@ -22,6 +22,9 @@ inputs:
   vault_password:
     description: The password used for decrypting vaulted files
     required: false
+  known_hosts:
+    description: Contents of SSH known_hosts file
+    required: false
   options:
     description: Extra options that should be passed to ansible-playbook command
     required: false

diff --git a/main.js b/main.js
@@ -12,6 +12,7 @@ async function main() {
         const key = core.getInput("key")
         const inventory = core.getInput("inventory")
         const vaultPassword = core.getInput("vault_password")
+        const knownHosts = core.getInput("known_hosts")
         const options = core.getInput("options")
 
         let cmd = ["ansible-playbook", playbook]
@@ -63,10 +64,27 @@ async function main() {
             cmd.push(vaultPasswordFile)
         }
 
-        process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        if (knownHosts) {
+            const knownHostsFile = ".ansible_known_hosts"
+            fs.writeFileSync(knownHostsFile, knownHosts, { mode: 0600 })
+            core.saveState("knownHostsFile", knownHostsFile)
+            let known_hosts_param = [
+                "--ssh-common-args=",
+                "\"",
+                "-o UserKnownHostsFile=",
+                knownHostsFile,
+                "\""
+            ].join('')
+            cmd.push(known_hosts_param)
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "True"
+        } else {
+            process.env.ANSIBLE_HOST_KEY_CHECKING = "False"
+        }
+
         process.env.ANSIBLE_FORCE_COLOR = "True"
 
-        await exec.exec(cmd.join(" "))
+        await exec.exec(cmd.join(' '))
+
     } catch (error) {
         core.setFailed(error.message)
     }

diff --git a/post.js b/post.js
@@ -14,6 +14,7 @@ async function main() {
         const keyFile = core.getState("keyFile")
         const inventoryFile = core.getState("inventoryFile")
         const vaultPasswordFile = core.getState("vaultPasswordFile")
+        const knownHostsFile = core.getState("knownHostsFile")
 
         if (directory)
             process.chdir(directory)
@@ -26,6 +27,10 @@ async function main() {
 
         if (vaultPasswordFile)
             rm(vaultPasswordFile)
+
+        if (knownHostsFile)
+            rm(knownHostsFile)
+
     } catch (error) {
         core.setFailed(error.message)
     }