Using Ansible to automate large-scale ssh key changes

Have you ever been faced with the issue of having to do some automation surrounding the rotation of SSH host keys? Earlier today today I was faced with the problem of a quick and simple way to mass-update the known_hosts file on a large number of Linux machines. I can across this stackflow post which suggested the use of ssh-keygen and ssh-keyscan to remove and re-add the keys – so I decided to wrap it in a quick playbook that can be reused used for any number of hosts rather than trying to use bash.

This has several advantages to trying to wrap the same logic in a bash file, specifically things like SSH password authentication, error handling, and logging, permission elevation – etc can all be handled in a much quicker fashion than trying to glue together various tools in bash. It’s also very easy to make this playbook generic – so that you can simply run

# ansible-playbook -i YourHostList -u YourUserName -e "ansible_ssh_pass=YourPassword target_host=YourTargethost target_user=YourTargetUser"

Remember to specify a valid inventory file, as well as updating the host in question you’d like to remove from known_hosts and update.

Share this content:

Leave a Comment

Your email address will not be published. Required fields are marked *