SSH to CA-trusted host

[pikeas]

Describe the bug

Pyinfra prompts for SSH host key verification when the host presents a valid certificate trusted by the user.

To Reproduce

$ cat ~/.ssh/known_hosts
@cert-authority server01 ssh-ed25519 <public key>

$ cat ~/.ssh/config
Host server01
    User root
    IdentityFile ~/.ssh/my_key

$ ssh server01
# works

$ pyinfra --debug server01 deploy.py
--> Loading config...
--> Loading inventory...
    [pyinfra_cli.inventory] Creating fake inventory...
    [pyinfra_cli.inventory] Checking possible group_data directory: /Users/user/dir

--> Connecting to hosts...
    [pyinfra.connectors.ssh] Connecting to: server01 ({'allow_agent': True, 'look_for_keys': True, 'hostname': 'server01', '_pyinfra_ssh_forward_agent': None, '_pyinfra_ssh_config_file': None, '_pyinfra_ssh_known_hosts_file': None, '_pyinfra_ssh_strict_host_key_checking': None, '_pyinfra_ssh_paramiko_connect_kwargs': None, 'timeout': 10})
    [pyinfra.connectors.sshuserclient.client] Loading SSH config: None
No host key for server01 found in known_hosts, do you want to continue [y/n]

Expected behavior

Pyinfra should connect without prompting for host key verification.

Meta

Pyinfra v2.2 macOS-12.3.1-arm64-arm-64bit, Python 3.10.5

[Fizzadar]

Unfortunately this is an upstream problem with the SSH library used by pyinfra, Paramiko: paramiko/paramiko#771

[Fizzadar]

Leaving this open as it’s unresolved but relabelled as a dependency issue.