From 24a1528facadf557097223b4bd1767068e462a57 Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Mon, 21 Nov 2022 14:18:13 +1100
Subject: [PATCH] bridge: Disable writing known_hosts files

This is related to the work in
I0823c09165c445e9178c75ac5083f1988e8d3055 to deploy the host keys from
inventory to the bastion host.

As noted inline, there's really no reason this host should be
connecting anywhere that isn't in the inventory.  So caching values
can only hide that we might have missed something there.  Disable user
known_hosts globally.

Change-Id: I6d74df90db856cf7773698e3a06180986a531322
---
 .../roles/add-inventory-known-hosts/tasks/main.yaml      | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
index e8dbb24aa8..9f427c9e5d 100644
--- a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
+++ b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
@@ -29,3 +29,12 @@
     group: root
     mode: 0644
     create: yes
+
+# Disable writing out known_hosts globally on the bastion host.
+# Nothing on this host should be connecting to somewhere not codified
+# above; this prevents us possibly hiding that by caching values.
+- name: Disable known_hosts caching
+  lineinfile:
+    path: /etc/ssh/ssh_config
+    regexp: 'UserKnownHostsFile'
+    line: '    UserKnownHostsFile /dev/null'