[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fab-user] EC2 host keys

From: Patrick J McNerthney
Subject: [Fab-user] EC2 host keys
Date: Sat, 09 May 2009 11:10:37 -0400
User-agent: Thunderbird (X11/20090409)

I have an issue with Amazon EC2 instances where ssh host keys have been saved in .ssh/known_hosts but are incompatible with an EC2 instance ip address. This occurs when the ip address has been reassigned to a new EC2 instance. So the basic sequence of events are:

o Start an EC2 instance which is assigned an ip address.
o ssh to that ip address and that server's ssh key is associated with that ip address in the known_hosts file.
o Terminate that EC2 instance.
o A new EC2 instance is started and it happens to get assigned the same ip address.

At this point, if I first ssh to it, I have ssh configured with StrictHostKeyChecking set to no, so ssh will emit a warning about this ip address having a new key, but still allows me to continue.

However, if at this point I try to use Fabric to execute some commands, it always will fail. This is because the SSHClient.load_system_host_keys is always called, causing the connection to fail if there is an incompatibility between the ip address and the server key.

I have addressed this in my own fork here: http://github.com/iciclespider/fabric/commit/08ad1c491e5643990c2a35e865784d2b61aa742f

What this does is replace this:

   if not env.reject_unknown_keys:

with this:

   if env.reject_unknown_keys:

I also considered using another env setting value to control this, but my conclusion that this behavior is in fact in line with the implied behavior of the "reject_unknown_keys" name. In other words, the list of known keys should only be loaded if the intention is to reject those keys that are not known.

Pat McNerthney
ClearPoint Metrics, Inc.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]