You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
with HOST_KEYS_LOCK:
host_keys = client.get_host_keys()
host_keys.add(hostname, key.get_name(), key)
# The paramiko client saves host keys incorrectly whereas the host keys object does
# this correctly, so use that with the client filename variable.
# See: https://github.com/paramiko/paramiko/pull/1989
host_keys.save(client._host_keys_filename)
This happens because of the way Paramiko parses the file - it throws away comment lines, newlines, and lines it doesn't understand.
with open(filename, "r") as f:
for lineno, line in enumerate(f, 1):
line = line.strip()
if (len(line) == 0) or (line[0] == "#"):
continue
try:
entry = HostKeyEntry.from_line(line, lineno)
except SSHException:
continue
So, when Pyinfra calls hosts_keys.save(...), this doesn't just add a new entry, it actually overwrites the file with the contents as parsed by Paramiko. This is unexpected - I've been fighting disappearing contents in known_hosts for years and had no idea it was caused by PyInfra.
Expected behavior
Pyinfra should either never modify known_hosts, or only add new hosts.
I understand the intent here, to make running PyInfra as convenient as possible. But IMO this behavior is a foot-gun for infrastructure maintainers and should be changed. It's frustrating to lose formatting, painful to lose comments, and breaks general SSH usage when @cert-authority (not yet support by Paramiko) silently disappears.
The text was updated successfully, but these errors were encountered:
Describe the bug
Pyinfra deletes lines from
~/.ssh/known_hosts
.To Reproduce
https://github.com/pyinfra-dev/pyinfra/blob/3.x/pyinfra/connectors/sshuserclient/client.py#L43-L49:
This happens because of the way Paramiko parses the file - it throws away comment lines, newlines, and lines it doesn't understand.
https://github.com/paramiko/paramiko/blob/main/paramiko/hostkeys.py#L89-L97:
So, when Pyinfra calls
hosts_keys.save(...)
, this doesn't just add a new entry, it actually overwrites the file with the contents as parsed by Paramiko. This is unexpected - I've been fighting disappearing contents in known_hosts for years and had no idea it was caused by PyInfra.Expected behavior
Pyinfra should either never modify known_hosts, or only add new hosts.
I understand the intent here, to make running PyInfra as convenient as possible. But IMO this behavior is a foot-gun for infrastructure maintainers and should be changed. It's frustrating to lose formatting, painful to lose comments, and breaks general SSH usage when
@cert-authority
(not yet support by Paramiko) silently disappears.The text was updated successfully, but these errors were encountered: