Merge "bridge: Disable writing known_hosts files"

playbooks/roles/add-inventory-known-hosts/tasks/main.yaml

@@ -29,3 +29,12 @@
     group: root
     mode: 0644
     create: yes
+
+# Disable writing out known_hosts globally on the bastion host.
+# Nothing on this host should be connecting to somewhere not codified
+# above; this prevents us possibly hiding that by caching values.
+- name: Disable known_hosts caching
+  lineinfile:
+    path: /etc/ssh/ssh_config
+    regexp: 'UserKnownHostsFile'
+    line: '    UserKnownHostsFile /dev/null'