ssh-keyscan through a bastion

Solution 1:

Quick googling suggests that ssh-keyscan doesn't honour ssh config file and all other ssh tricks. (Although this thread is quite old).

With Ansible you can delegate keyscan task to your bastion host and then append you known_hosts file locally:

- hosts: localhost
  gather_facts: no
  tasks:
    - command: "ssh-keyscan {{ new_host }}"
      register: new_host_fingerprint
      delegate_to: bastion
    - lineinfile:
        dest: /root/ssh/known_hosts
        line: "{{ item }}"
      with_items: "{{ new_host_fingerprint.stdout_lines }}"

where new_host is the IP-address of created host (192.168.0.123 in your example).

Solution 2:

SSH to the bastion and run ssh-keyscan from there:

ssh bastion ssh-keyscan remote-host1