From e66d9f1abf0e6be79dd5677054ba8c3aae9dc799 Mon Sep 17 00:00:00 2001
From: Iustin Pop <iustin@google.com>
Date: Thu, 18 Feb 2010 10:12:19 +0100
Subject: [PATCH] Fix ssh host key checking with no-key-check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In case we add a node with β€œ--no-ssh-key-check”, this should override
any default yes/ask values in the system-wide (or user) ssh key check.

Currently this only works in batch mode, whereas in non-batch we only
override a 'no'. The patch fixes SshRunner such that in non-batch mode
we enforce the value of StrictHostKeyChecking in all cases.

Bug found and initial investigation by Theo Van Dinter.

Signed-off-by: Iustin Pop <iustin@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>
---
 lib/ssh.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/ssh.py b/lib/ssh.py
index 31fbdbbf6..4610e2d4f 100644
--- a/lib/ssh.py
+++ b/lib/ssh.py
@@ -114,10 +114,15 @@ class SshRunner:
       else:
         options.append("-oStrictHostKeyChecking=no")
 
-    elif ask_key:
-      options.extend([
-        "-oStrictHostKeyChecking=ask",
-        ])
+    else:
+      # non-batch mode
+
+      if ask_key:
+        options.append("-oStrictHostKeyChecking=ask")
+      elif strict_host_check:
+        options.append("-oStrictHostKeyChecking=yes")
+      else:
+        options.append("-oStrictHostKeyChecking=no")
 
     return options
 
-- 
GitLab