bridge: Disable writing known_hosts files

This is related to the work in I0823c09165c445e9178c75ac5083f1988e8d3055 to deploy the host keys from inventory to the bastion host. As noted inline, there's really no reason this host should be connecting anywhere that isn't in the inventory. So caching values can only hide that we might have missed something there. Disable user known_hosts globally. Change-Id: I6d74df90db856cf7773698e3a06180986a531322
2022-11-21 14:18:13 +11:00 · 2022-11-21 14:18:13 +11:00 · 24a1528fac
commit 24a1528fac
parent 95c9cf6ec6
1 changed files with 9 additions and 0 deletions
--- a/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
+++ b/playbooks/roles/add-inventory-known-hosts/tasks/main.yaml
@ -29,3 +29,12 @@
    group: root
    mode: 0644
    create: yes
+
+# Disable writing out known_hosts globally on the bastion host.
+# Nothing on this host should be connecting to somewhere not codified
+# above; this prevents us possibly hiding that by caching values.
+- name: Disable known_hosts caching
+  lineinfile:
+    path: /etc/ssh/ssh_config
+    regexp: 'UserKnownHostsFile'
+    line: '    UserKnownHostsFile /dev/null'