Automatizacion, Geeks

Ansible: distribute ssh authorized key to all inventory

By Leave a comment

Requirements

  • Inventory file “inv_target_nodes_with_pass”:

    Inventory file with all the hosts and the password on it (we only will use this inventory file to deploy the ssh authorized key, then we can remove it).
target_node1 ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=mypassword
target_node2 ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=mypassword

Note: It’s a good practice to use instead of root, another user that we will only use to connect from ansible. This way we get a good traceability and limit full access.

  • Inventory file “inv_target_nodes_without_pass”:

    Inventory file with all the hosts and without the ssh password on it, to use it as a permanent inventory file.
target_node1
target_node2

Generate ssh key on ansible server

To generate the ssh private and public key, we execute the command below on the ansible server machine:

$ ssh-keygen

Example:

root@node_manager:/# ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:xxLKUd6HY/4US5Cal5GFkh0sF/FS34gKFRTo8D5k+CM root@node_manager
The key's randomart image is:
+---[RSA 3072]----+
|    *OBo         |
| . =.=* o o      |
|  =.+* o o .     |
| . =+ *          |
|  =+ + oS        |
| Eo=o o.o        |
| ...o=.+         |
|. o o.+          |
|+o .....         |
+----[SHA256]-----+

Playbook

add_ssh_authorized_key.yml

---
- name: "Add ssh authorized key to hosts"
  hosts: all
  gather_facts: no

  vars:

  tasks: 

  - name: "Set authorized key taken from file"
    authorized_key:
      user: root
      state: present
      key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"

Execute the Playbook

Run the following command to deploy the ssh authorized key on all the inventory hosts, such as ‘target_node1’ and ‘target_node2’:

root@node_manager:/# ansible-playbook add_ssh_authorized_key.yml -i inv_target_nodes_with_pass

PLAY [Add ssh authorized key to hosts] ************************************************************************************************************************************************

TASK [Set authorized key taken from file] *********************************************************************************************************************************************
changed: [target_node2]
changed: [target_node1]

PLAY RECAP ****************************************************************************************************************************************************************************
target_node1               : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
target_node2               : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Check the remote nodes (optional)

To check if the deployment it was succesfull, we can check it going to each target_node server and executing the command below:

[root@target_node1]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkJqDzdGuRtE0phEMyRIlERHKtNbKti0SKmzJ6n6V7VgJX61A5fsa5YH8BdH8IPY5g680rfgJonOpceupaxaZWYLQa1zk0rwu0TkYuop1/JOlwtbsdfhEvTkQEikT+mgkZ/MYvIiB+ewxE0nCm17RG70/cZEd5TsOUojDIFaJwNSNMQ2NDO9S1M2xkUvLxYIIUFITf3rCtUA7ZZLciuK7k5z8pJpKdPhTgea8WMnq+jkAKHcsrcfq1KQv9tvRwfUIZ7Eb7f0TiIHKkcJAI6q9hiCuKSPt0hcmL0gw8bOVQPP8mzyidwZenrw3/ppQKRKWm2n5DkJiU1RiXwuF/q7Ylpc7FELw3E5JI4XuJyaGj28Z9NhYz5frwZiQkJv8hOHr7gLcK8IWFFJ/X4gM+HKkIfwixRZLywxN4fgMYVx9CIZRKk0qqz3FJOBrsQH9Fev0/Xnlq2Wgp1TNrZ1mfK/FQzsNmpd1avF3JPm8JU1GW+xzxiiQs/q3E8nznUF4xk78= root@node_manager

We can see that the key from the node_manager (our ansible machine) is already in the file on the remote host.

Check the connexion with Ping module

To check that the connection works without any password in our inventory file we execute the following command:

root@node_manager# ansible -i inv_target_nodes_without_pass -m ping all

target_node1 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
target_node2 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "changed": false,
    "ping": "pong"
}
Compartir:
, ,

This article was written by RoberMB

💻OS, ☁️Cloud, 🛡️Cybersecurity, ✈️Traveling #Linux, #Ansible, #AWS, #VMware, #Docker 🏴‍☠️ CEH v10, CPHE 🏴‍☠️ ... Always learning, always enjoying.

Leave a Reply

Your email address will not be published. Required fields are marked *