Original from 19/May/2014... updated!
I found this workflow for our systems:
- Up the new box.
- Generate keys in that new box.
- "Fetch" the pub key from the new server to the ansible server.
- Copy that key to authorized_keys file of the other server (from ansible server).
- Execute a rsync from the new server without asking key to the other server.
My trick is:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #this is a part of the original playbook: | |
| - name: Creating pub SSH keys | |
| command: ssh-keygen -N '' -f /root/.ssh/id_rsa | |
| - name: Downloading pub key | |
| fetch: src=/root/.ssh/id_rsa.pub dest=/tmp/id_rsa.tmp flat=yes | |
| - name: Coping local key to other.server.net | |
| local_action: shell cat /tmp/id_rsa.tmp | ssh -p 2244 root@other.server.net "cat >> /root/.ssh/authorized_keys" | |
| - name: Deleting temporal files | |
| local_action: command rm -f /tmp/id_rsa.tmp | |
| - name: Syncing configuration files from other.server.net | |
| shell: rsync -avHz --rsh='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p2244' root@other-server.net:/opt/conf/* /opt/conf/ |
It is working perfectly but i would like to know if another way is possible.
Thanks...
Update 06/Dec/2014:
Same workflow, new lines (optimized?):
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - name: Generating RSA key for root | |
| user: name=root generate_ssh_key=yes | |
| - name: Downloading pub key | |
| fetch: src=/root/.ssh/id_rsa.pub dest=/tmp/id_rsa.tmp flat=yes | |
| - name: Copying local key to other.server.net | |
| local_action: shell cat /tmp/id_rsa.tmp | ssh -p 2244 root@other.server.net "cat >> /root/.ssh/authorized_keys" | |
| - name: Deleting temporal files | |
| local_action: file path=/tmp/id_rsa.tmp state=absent | |
| - name: Coping local key to other.server.net | |
| local_action: shell cat /tmp/id_rsa.tmp | ssh -p 2244 root@other.server.net "cat >> /root/.ssh/authorized_keys" | |
| - name: Removing temporal keys from other.server.net | |
| shell: ssh -p 2244 root@other.server..net 'sed -i "/ansible-generated/d" /root/.ssh/authorized_keys' | |
- name: 'get id_rsa.pub'
ReplyDeleteshell: cat "{{ some.dir + '/' + some.user + '/.ssh/id_rsa.pub' }}"
delegate_to: "{{ master_first }}"
register: id_rsa_pub
changed_when: false
- authorized_key: user="{{ some.user }}" key="{{ id_rsa_pub.stdout }}"
##############
#extra work
- name: Get rid of SSH "Are you sure you want to continue connecting (yes/no)? BY NAME" query
command: "{{ item }}"
delegate_to: "{{ master_first }}"
with_items:
- sh -c 'ssh-keyscan -H {{ inventory_hostname }} >> {{ some.dir }}/{{ some.user }}/.ssh/known_hosts'
- sh -c 'ssh-keyscan -H 0.0.0.0 >> {{ some.dir }}/{{ some.user }}/.ssh/known_hosts'
- name: Get rid of SSH "Are you sure you want to continue connecting (yes/no)? BY IP" query
command: sh -c 'ssh-keyscan -H {{ hostvars[item].ansible_default_ipv4.address }} >> {{ some.dir }}/{{ some.user }}/.ssh/known_hosts'
delegate_to: "{{ master_first }}"
with_items: play_hosts
"get rid of" update:
Delete- name: Get rid of SSH "Are you sure you want to continue connecting (yes/no)? BY NAME" query
delegate_to: "{{ master_first }}"
known_hosts:
name={{ item }}
state=present
key="{{ lookup('pipe', 'ssh-keyscan -t rsa {{ item }}') }}"
with_items:
- "{{ inventory_hostname }}"
- "0.0.0.0"
Create ssh key (only when missing) for an existing user. Important: if the user doesn't exit, it will be created, which may not be desiderable:
ReplyDelete- name: postgresql user with ssh key
user:
generate_ssh_key: yes
home: /var/lib/postgresql
name: postgres
Add key of remote hosts (name and IP) from two groups in the Ansible inventory, correctly reporting if added or already present:
- name: add other node keys
when: item != inventory_hostname
shell: |
ssh-keygen -f /var/lib/postgresql/.ssh/known_hosts -F {{ item }} && echo 'key present' ||
ssh-keyscan -H -T 10 {{ item }} >> /var/lib/postgresql/.ssh/known_hosts &&
ssh-keyscan -H -T 10 {{ hostvars[item].ansible_default_ipv4.address }} >> /var/lib/postgresql/.ssh/known_hosts
register: result
changed_when: not 'key present' in result.stdout
with_flattened:
- groups.dbslaves
- groups.dbmaster
New ideas in https://www.cyberciti.biz/faq/how-to-upload-ssh-public-key-to-as-authorized_key-using-ansible/
ReplyDeleteI used standard modules and delegate_to to come up with a pretty nice way of doing this:
ReplyDeleteI want to create a user on my bastion server(s) and create a key pair for that user and upload the public key to the user's authorized keys on all of my web servers for example.
First in my webservers role I make sure the user has been created:
- name: Create web server admin user
user:
name: myadmin
state: present
Then in my bastion server role I want to create the admin user and generate a key pair at the same time (the registered variable will have the user's public key):
- name: Create admin user with ssh key pair
user:
name: myadmin
generate_ssh_key: yes
state: present
register: myadmin
In that same bastion role I want to install the public key to all of my web servers (this is where the delegate_to comes in)
- name: Install myadmin public key on every web server
authorized_key:
user: myadmin
key: "{{ myadmin.ssh_public_key }}"
delegate_to: "{{ item }}"
with_items: "{{ groups['webservers'] }}"
This comment has been removed by the author.
DeleteNIce, thanks! It's elegant.
DeleteSuch a great read! Your examples really helped illustrate your points. Looking forward to more of your work!
ReplyDelete