Have you ever been faced with the issue of having to do some automation surrounding the rotation of SSH host keys? Earlier today today I was faced with the problem of a quick and simple way to mass-update the
known_hosts file on a large number of Linux machines. I can across this stackflow post which suggested the use of
ssh-keyscan to remove and re-add the keys – so I decided to wrap it in a quick playbook that can be reused used for any number of hosts rather than trying to use bash.
This has several advantages to trying to wrap the same logic in a bash file, specifically things like SSH password authentication, error handling, and logging, permission elevation – etc can all be handled in a much quicker fashion than trying to glue together various tools in bash. It’s also very easy to make this playbook generic – so that you can simply run
# ansible-playbook -i YourHostList -u YourUserName -e "ansible_ssh_pass=YourPassword target_host=YourTargethost target_user=YourTargetUser"
Remember to specify a valid inventory file, as well as updating the host in question you’d like to remove from
known_hosts and update.