Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
- Using
UserKnownHostsFile=/dev/nullavoids the race but fully disables host key persistence; consider whether pointing to an isolated temporary known_hosts file (per run or per user) would give you the same concurrency safety with better security properties.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Using `UserKnownHostsFile=/dev/null` avoids the race but fully disables host key persistence; consider whether pointing to an isolated temporary known_hosts file (per run or per user) would give you the same concurrency safety with better security properties.
## Individual Comments
### Comment 1
<location path="files/clustershell/clush.conf" line_range="10" />
<code_context>
node_count: yes
verbosity: 1
-ssh_options: -o IdentityFile=/ansible/secrets/id_rsa.operator -o StrictHostKeyChecking=no -o LogLevel=ERROR
+ssh_options: -o IdentityFile=/ansible/secrets/id_rsa.operator -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR
</code_context>
<issue_to_address>
**🚨 issue (security):** Using UserKnownHostsFile=/dev/null removes host key persistence and may hide MITM issues.
Combined with `StrictHostKeyChecking=no`, this effectively disables SSH host key verification. If this is only for ephemeral or non-production use, please scope it more narrowly (e.g., limited inventories or an explicit opt‑in flag) and ensure it cannot be reused in production or other sensitive contexts.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Use a per-invocation temporary known_hosts file instead of /dev/null to prevent parallel SSH connections (fanout: 64) from colliding on hard link updates, while still maintaining host key persistence during the session. The temp file is seeded from /share/known_hosts so existing host keys are verified. AI-assisted: Claude Code Signed-off-by: Christian Berendt <berendt@osism.tech>
Comment on lines
+215
to
+220
| subprocess.call( | ||
| f'/usr/local/bin/clush -l {settings.OPERATOR_USER}' | ||
| f' -o "-o UserKnownHostsFile={tmp_known_hosts}"' | ||
| f' -g {host}', | ||
| shell=True, | ||
| ) |
There was a problem hiding this comment.
security (python.lang.security.audit.dangerous-subprocess-use-audit): Detected subprocess function 'call' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
Source: opengrep
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add UserKnownHostsFile=/dev/null to clush ssh_options to prevent multiple parallel SSH connections (fanout: 64) from colliding on hard link updates to /root/.ssh/known_hosts.
AI-assisted: Claude Code