I have some test servers running behind a bastion on Openstack. The test stack gets deleted and created often. After the stack is created I run a set of Ansible scripts to install and configure the servers. I have the process almost completely automated but I can't seem to get ssh-keyscan to work when the remote host is behind a bastion host.
This is what I have in my ~/.ssh/config
Host bastion
HostName 1.2.3.4
User myuser
IdentityFile ~/.ssh/private_key.pem
Host remote-host1
HostName 192.168.0.123
User myuser
IdentityFile ~/.ssh/private_key.pem
ProxyCommand ssh -W %h:%p bastion
If I try to run ssh-keyscan remote-host1 I get
getaddrinfo remote-host1: Name or service not known
Running ssh remote-host1 works but it will prompt
The authenticity of host '192.168.0.123 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)?
which I'm trying to avoid.
I know that there is a SSH option -o StrictHostKeyChecking=no and it's possible to pass this to Ansible using the ssh_args configuration option. I wouldn't want to use it though. I'm also aware that using ssh-keyscan without checking the fingerprint allows man-in-the-middle attacks. In this test environment scenario I'm willing to take the risk because only my IP is whitelisted for access.
