Stop ignoring the host keys, query and write them down as accepted.

tests/conftest.py

@@ -1402,7 +1402,21 @@ def sshd_server(salt_factories, sshd_config_dir, salt_master, grains):
 
 
 @pytest.fixture(scope="module")
-def salt_ssh_roster_file(sshd_server, salt_master):
+def known_hosts_file(sshd_server, salt_master, salt_factories):
+    with pytest.helpers.temp_file(
+        "ssh-known-hosts",
+        "\n".join(sshd_server.get_host_keys()),
+        salt_factories.tmp_root_dir,
+    ) as known_hosts_file, pytest.helpers.temp_file(
+        "master.d/ssh-known-hosts.conf",
+        f"known_hosts_file: {known_hosts_file}",
+        salt_master.config_dir,
+    ):
+        yield known_hosts_file
+
+
+@pytest.fixture(scope="module")
+def salt_ssh_roster_file(sshd_server, salt_master, known_hosts_file):
     roster_contents = """
     localhost:
       host: 127.0.0.1
@@ -1415,6 +1429,7 @@ def salt_ssh_roster_file(sshd_server, salt_master):
     )
     if salt.utils.platform.is_darwin():
         roster_contents += "  set_path: $PATH:/usr/local/bin/\n"
+
     with pytest.helpers.temp_file(
         "roster", roster_contents, salt_master.config_dir
     ) as roster_file:

tests/pytests/integration/conftest.py

@@ -95,7 +95,7 @@ def salt_run_cli(salt_master):
 
 
 @pytest.fixture(scope="module")
-def salt_ssh_cli(salt_master, salt_ssh_roster_file, sshd_config_dir):
+def salt_ssh_cli(salt_master, salt_ssh_roster_file, sshd_config_dir, known_hosts_file):
     """
     The ``salt-ssh`` CLI as a fixture against the running master
     """
@@ -105,7 +105,6 @@ def salt_ssh_cli(salt_master, salt_ssh_roster_file, sshd_config_dir):
         roster_file=salt_ssh_roster_file,
         target_host="localhost",
         client_key=str(sshd_config_dir / "client_key"),
-        base_script_args=["--ignore-host-keys"],
     )
 
 

tests/pytests/integration/netapi/test_ssh_client.py

@@ -1,3 +1,5 @@
+import logging
+
 import pytest
 
 import salt.netapi
@@ -18,9 +20,12 @@ pytestmark = [
     ),
 ]
 
+log = logging.getLogger(__name__)
+
 
 @pytest.fixture
-def client_config(client_config):
+def client_config(client_config, known_hosts_file):
+    client_config["known_hosts_file"] = str(known_hosts_file)
     client_config["netapi_enable_clients"] = ["ssh"]
     return client_config
 
@@ -67,7 +72,6 @@ def test_ssh(client, auth_creds, salt_ssh_roster_file, rosters_dir, ssh_priv_key
         "client": "ssh",
         "tgt": "localhost",
         "fun": "test.ping",
-        "ignore_host_keys": True,
         "roster_file": str(salt_ssh_roster_file),
         "rosters": [rosters_dir],
         "ssh_priv": ssh_priv_key,
@@ -187,7 +191,6 @@ def test_shell_inject_tgt(client, salt_ssh_roster_file, tmp_path, salt_auto_acco
         "eauth": "auto",
         "username": salt_auto_account.username,
         "password": salt_auto_account.password,
-        "ignore_host_keys": True,
     }
     ret = client.run(low)
     assert path.exists() is False
@@ -242,7 +245,6 @@ def test_shell_inject_ssh_port(
         "roster_file": str(salt_ssh_roster_file),
         "rosters": "/",
         "ssh_port": f"hhhhh|id>{path} #",
-        "ignore_host_keys": True,
     }
     ret = client.run(low)
     assert path.exists() is False
@@ -270,7 +272,6 @@ def test_shell_inject_remote_port_forwards(
         "eauth": "auto",
         "username": salt_auto_account.username,
         "password": salt_auto_account.password,
-        "ignore_host_keys": True,
     }
     ret = client.run(low)
     assert path.exists() is False
@@ -317,7 +318,6 @@ def test_ssh_auth_bypass(client, salt_ssh_roster_file):
         "roster_file": str(salt_ssh_roster_file),
         "rosters": "/",
         "eauth": "xx",
-        "ignore_host_keys": True,
     }
     with pytest.raises(EauthAuthenticationError):
         client.run(low)

tests/pytests/integration/ssh/test_log.py

@@ -70,26 +70,23 @@ def ssh_port(ssh_docker_container):
 
 
 @pytest.fixture(scope="module")
-def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master, ssh_auth):
+def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master, ssh_auth, known_hosts_file):
     """
     Temporary roster for ssh docker container
     """
     ssh_pass, ssh_user = ssh_auth
-    roster = """
+    roster = f"""
     pyvertest:
       host: localhost
-      user: {}
-      port: {}
-      passwd: {}
+      user: {ssh_user}
+      port: {ssh_port}
+      passwd: {ssh_pass}
       sudo: True
       sudo_user: root
       tty: True
       ssh_options:
-        - StrictHostKeyChecking=no
-        - UserKnownHostsFile=/dev/null
-    """.format(
-        ssh_user, ssh_port, ssh_pass
-    )
+        - UserKnownHostsFile={known_hosts_file}
+    """
     with pytest.helpers.temp_file(
         "py_versions_roster", roster, salt_master.config_dir
     ) as roster_file:
@@ -104,7 +101,6 @@ def salt_ssh_cli(salt_master, salt_ssh_roster_file, ssh_keys, ssh_docker_contain
         timeout=180,
         roster_file=salt_ssh_roster_file,
         target_host="localhost",
-        base_script_args=["--ignore-host-keys"],
         ssh_user="app-admin",
     )
 

tests/pytests/integration/ssh/test_pillar_compilation.py

@@ -251,7 +251,7 @@ def _assert_saltutil_runner_pillar(ret, salt_minion_id):
 
 @pytest.mark.skip_if_binaries_missing("gpg")
 @pytest.mark.usefixtures("pillar_setup", "gpg_homedir")
-def test_gpg_pillar_orch(salt_ssh_cli, salt_run_cli, gpg_homedir):
+def test_gpg_pillar_orch(salt_ssh_cli, salt_run_cli):
     """
     Ensure that GPG-encrypted pillars can be decrypted when Salt-SSH is
     called during an orchestration or via saltutil.cmd.
@@ -265,7 +265,6 @@ def test_gpg_pillar_orch(salt_ssh_cli, salt_run_cli, gpg_homedir):
         salt_ssh_cli.target_host,
         "pillar.items",
         ssh=True,
-        ignore_host_keys=True,
         roster_file=str(salt_ssh_cli.roster_file),
         ssh_priv=str(salt_ssh_cli.client_key),
     )
@@ -290,7 +289,6 @@ def test_saltutil_runner_orch(salt_ssh_cli, salt_run_cli, salt_minion):
         salt_ssh_cli.target_host,
         "pillar.items",
         ssh=True,
-        ignore_host_keys=True,
         roster_file=str(salt_ssh_cli.roster_file),
         ssh_priv=str(salt_ssh_cli.client_key),
     )

tests/pytests/integration/ssh/test_py_versions.py

@@ -85,22 +85,19 @@ def ssh_port(ssh_docker_container):
 
 
 @pytest.fixture(scope="module")
-def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master):
+def salt_ssh_roster_file(ssh_port, ssh_keys, salt_master, known_hosts_file):
     """
     Temporary roster for ssh docker container
     """
-    roster = """
+    roster = f"""
     pyvertest:
       host: localhost
       user: centos
-      port: {}
-      priv: {}
+      port: {ssh_port}
+      priv: {ssh_keys.priv_path}
       ssh_options:
-        - StrictHostKeyChecking=no
-        - UserKnownHostsFile=/dev/null
-    """.format(
-        ssh_port, ssh_keys.priv_path
-    )
+        - UserKnownHostsFile={known_hosts_file}
+    """
     with pytest.helpers.temp_file(
         "py_versions_roster", roster, salt_master.config_dir
     ) as roster_file:
@@ -116,7 +113,6 @@ def salt_ssh_cli(salt_master, salt_ssh_roster_file, ssh_keys, ssh_docker_contain
         roster_file=salt_ssh_roster_file,
         target_host="localhost",
         client_key=str(ssh_keys.priv_path),
-        base_script_args=["--ignore-host-keys"],
     )
 
 

tests/pytests/integration/ssh/test_ssh_setup.py

@@ -117,23 +117,30 @@ def ssh_sub_port(ssh_sub_container):
 
 @pytest.fixture(scope="module")
 def salt_ssh_roster_file(
-    ssh_container_name, ssh_sub_container_name, ssh_port, ssh_sub_port, salt_master
+    ssh_container_name,
+    ssh_sub_container_name,
+    ssh_port,
+    ssh_sub_port,
+    salt_master,
+    known_hosts_file,
 ):
     """
     Temporary roster for ssh docker container
     """
-    roster = """
-    {}:
+    roster = f"""
+    {ssh_container_name}:
       host: localhost
       user: centos
-      port: {}
-    {}:
+      port: {ssh_port}
+      ssh_options:
+        - UserKnownHostsFile={known_hosts_file}
+    {ssh_sub_container_name}:
       host: localhost
       user: centos
-      port: {}
-    """.format(
-        ssh_container_name, ssh_port, ssh_sub_container_name, ssh_sub_port
-    )
+      port: {ssh_sub_port}
+      ssh_options:
+        - UserKnownHostsFile={known_hosts_file}
+    """
     with pytest.helpers.temp_file(
         "setup_roster", roster, salt_master.config_dir
     ) as roster_file:
@@ -151,7 +158,6 @@ def salt_ssh_cli(
         timeout=180,
         roster_file=salt_ssh_roster_file,
         client_key=str(ssh_keys.priv_path),
-        base_script_args=["--ignore-host-keys"],
     )
 
 

tests/pytests/integration/ssh/test_terraform.py

@@ -17,7 +17,7 @@ def minion_id():
 
 
 @pytest.fixture(scope="module")
-def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id):
+def terraform_roster_file(sshd_server, tmp_path_factory, minion_id, known_hosts_file):
     darwin_addon = ""
     if salt.utils.platform.is_darwin():
         darwin_addon = ',\n        "set_path": "$PATH:/usr/local/bin/"\n'
@@ -49,7 +49,10 @@ def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id)
                 "thin_dir": null,
                 "timeout": null,
                 "tty": null,
-                "user": "{user}"{darwin_addon}
+                "user": "{user}"{darwin_addon},
+                "ssh_options": [
+                    "UserKnownHostsFile={known_hosts_file}"
+                ]
               }}
             }}
           ]
@@ -63,6 +66,7 @@ def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id)
         port=sshd_server.listen_port,
         user=RUNTIME_VARS.RUNNING_TESTS_USER,
         darwin_addon=darwin_addon,
+        known_hosts_file=known_hosts_file,
     )
     roster_file = tmp_path_factory.mktemp("terraform_roster") / "terraform.tfstate"
     roster_file.write_text(roster_contents)
@@ -71,7 +75,7 @@ def terraform_roster_file(sshd_server, salt_master, tmp_path_factory, minion_id)
 
 
 @pytest.fixture(scope="module")
-def salt_ssh_cli(salt_master, terraform_roster_file, sshd_config_dir):
+def salt_ssh_cli(salt_master, terraform_roster_file, sshd_config_dir, known_hosts_file):
     """
     The ``salt-ssh`` CLI as a fixture against the running master
     """
@@ -80,7 +84,6 @@ def salt_ssh_cli(salt_master, terraform_roster_file, sshd_config_dir):
         roster_file=terraform_roster_file,
         target_host="*",
         client_key=str(sshd_config_dir / "client_key"),
-        base_script_args=["--ignore-host-keys"],
     )
 
 

tests/pytests/integration/states/test_ansiblegate.py

@@ -40,7 +40,7 @@ def ansible_inventory_directory(tmp_path_factory, grains):
 
 
 @pytest.fixture(scope="module", autouse=True)
-def ansible_inventory(ansible_inventory_directory, sshd_server):
+def ansible_inventory(ansible_inventory_directory, sshd_server, known_hosts_file):
     inventory = str(ansible_inventory_directory / "inventory")
     client_key = str(sshd_server.config_dir / "client_key")
     data = {
@@ -52,8 +52,7 @@ def ansible_inventory(ansible_inventory_directory, sshd_server):
                     "ansible_user": RUNTIME_VARS.RUNNING_TESTS_USER,
                     "ansible_ssh_private_key_file": client_key,
                     "ansible_ssh_extra_args": (
-                        "-o StrictHostKeyChecking=false "
-                        "-o UserKnownHostsFile=/dev/null "
+                        f"-o UserKnownHostsFile={known_hosts_file} "
                     ),
                 },
             },