我们正在努力改进一些服务器进程的自动化;我们使用织物。我预计必须管理多个主机,这意味着必须对以前未通过 SSH 连接的服务器建立 SSH 连接。如果发生这种情况,SSH 总是会要求验证连接,这会破坏自动化。
我已经解决了这个问题,在同一过程中,在我用来与 rsync
同步代码的 SSH 命令上使用 -o stricthostkeychecking=no
选项,但我还需要在与 Fabric 的通话中使用它。
有没有办法将特定于 ssh 的选项传递给 Fabric,尤其是我上面提到的那个?
最佳答案
简短的回答是:
- 对于新主机,不需要任何东西。
env.reject_unknown_hosts
默认为False
- 对于 key 已更改的已知主机,
env.disable_known_hosts = True
将决定继续连接到已更改的主机。
阅读旧文档:http://docs.fabfile.org/en/1.5/usage/ssh.html#unknown-hosts
The paramiko library is capable of loading up your known_hosts file, and will then compare any host it connects to, with that mapping. Settings are available to determine what happens when an unknown host (a host whose username or IP is not found in known_hosts) is seen:
- 拒绝:主机 key 被拒绝并且不建立连接。这会导致 Python 异常,这将终止您的 Fabric session 并显示主机未知的消息。
- 添加:新的主机 key 被添加到已知主机的内存列表中,建立连接,事情继续正常进行。请注意,这不会修改磁盘上的 known_hosts 文件!
- 询问:尚未在 Fabric 级别实现,这是一个 paramiko 库选项,它会提示用户未知 key 以及是否接受它。
Whether to reject or add hosts, as above, is controlled in Fabric via the env.reject_unknown_hosts option, which is False by default for convenience’s sake. We feel this is a valid tradeoff between convenience and security; anyone who feels otherwise can easily modify their fabfiles at module level to set env.reject_unknown_hosts = True.
http://docs.fabfile.org/en/1.5/usage/ssh.html#known-hosts-with-changed-keys
key 已更改的已知主机
The point of SSH’s key/fingerprint tracking is so that man-in-the-middle attacks can be detected: if an attacker redirects your SSH traffic to a computer under his control, and pretends to be your original destination server, the host keys will not match. Thus, the default behavior of SSH (and its Python implementation) is to immediately abort the connection when a host previously recorded in known_hosts suddenly starts sending us a different host key.
In some edge cases such as some EC2 deployments, you may want to ignore this potential problem. Our SSH layer, at the time of writing, doesn’t give us control over this exact behavior, but we can sidestep it by simply skipping the loading of known_hosts – if the host list being compared to is empty, then there’s no problem. Set env.disable_known_hosts to True when you want this behavior; it is False by default, in order to preserve default SSH behavior.
Warning Enabling env.disable_known_hosts will leave you wide open to man-in-the-middle attacks! Please use with caution.
关于python - 如何使用 Fabric 传递 SSH 选项?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/14652965/