Configure the ssh client library HostKeyCallback ssh.InsecureIgnoreHostKey

[rgl]

Describe the bug

terraform-provider-esxi/esxi/esxi_remote_cmds.go

Line 33 in 28fa55c

sshConfig.HostKeyCallback = ssh.InsecureIgnoreHostKey()

This code is unconditionally trusting the server without any verification, which is not, IMHO, a good default.

Expected behavior

Expect the used SSH client to inherit my ssh settings (e.g. the known_hosts file) by default.

A provider option should be provided to explicitly opt-out of the server verification, e.g.:

provider "esxi" {
  insecure = true
}

Ideally it should be configured alike a terraform provisioner connection.

[josenk]

Yes, I agree. It would be a much better default. I'll try to get some time to add this feature...

[josenk]

Thinking about this a bit...
To tighten up security, I should also remove the "--noSSLVerify" option for ovftool. How many home users actually have real SSL certs installed on their ESXi servers???

I'll keep all of this in mind. I may just tie them both together as a "high security enabled" option, or something like that... If there's more demand, I'll put some priority on it. Thanks for the feedback!

[jauderho]

+1 to this request.

FWIW, I do use a real cert (Let's Encrypt) for my ESXi server.