The known_hosts module uses dig to do a dns lookup. However, dig may not be installed. Use getent(which is a libc binary) instead.

ip=$(getent hosts $host | cut -f 1 -d ' ')

If you want, I could create a pull request, but this issue is rather simple to fix.

The script uses su - $owner everywhere to run commands as the result of whoami.
This results in tty tickets if you don't have passwordless sudo.

Why not just run the commands instead?

For example,

Instead of:

have_host=$(su - $owner -c "ssh-keygen -F $keygen_name -f $file")

Why not just:

have_host=$(ssh-keygen -F $keygen_name -f $file)

The "security" feature of scrubbing the input is terribly broken as far as I can tell.

The reason that it has the appearance of working is that the sed line actually doesn't do anything. Its regular expression does not match most input. Tests:

$ echo 'a = "b"' | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a = "b"

$ echo " a = "b" " | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a = "b"

$ echo "a=b " | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a=b

Now let's suppose it did work as the original author intended. I could still submit the line: a="b';rm -rf /;a=' "
Which would be expanded to:
a='b';rm -rf /;a=' '
Which would then get run as root. (Or whichever user the script is run as on the remote end - root by default I think).

In addition, the whole concept of just doing the keyscan at the remote end and then dumping it into your known_hosts file without any verification completely defeats the point of the known_hosts file. You'd be better off just turning StrictHostKeyChecking to no in your ssh config - the only exception to this I can see is if you want specifically to not care who one particular host is for one particular user.

When dig is not installed, the ip=$(dig) line is non-sensible. Later, when ssh-keygen and ssh-keyscan are called, they end up returning bad values, and the script result back to ansible ends up saying changed=false, but otherwise there is no error.

To fix this, use 'set -e', 'trap _onexit EXIT', and properly return a real error.

If exiting the script successfully, then remove the trap by "trap '' EXIT".

These commands are POSIX, so are safe to use.

ps: this script to actually be /bin/sh, if one used && instead of -a when doing [, and used = instead of ==,

pps: I could also make a fork/pull request for this too, if the above is not clear

In ansible they've added "support" for known_hosts ansible/ansible-modules-extras#31 in version 1.9 (even though the docs state 1.6 at this point ansible/ansible-modules-extras#347). However that module does way fewer things and requires more manual "intervention"

Others might hit the same issue so I'm including the error message that threw me of: unsupported parameter for module owner

The easiest solution is to rename this script's name

Gives me msg: host is required, e.g. github.com

Task:

- name: github known host
  known_hosts: host=github.com state=present
  sudo: yes
  sudo_user: someuser