{"id":1975,"date":"2024-02-16T15:18:00","date_gmt":"2024-02-16T14:18:00","guid":{"rendered":"https:\/\/robermb.com\/blog\/?p=1975"},"modified":"2024-07-01T12:29:00","modified_gmt":"2024-07-01T10:29:00","slug":"ansible-distribute-ssh-authorized-key-to-all-inventory","status":"publish","type":"post","link":"https:\/\/robermb.com\/blog\/geeks\/ansible-distribute-ssh-authorized-key-to-all-inventory\/","title":{"rendered":"Ansible: distribute ssh authorized key to all inventory"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">Requirements<\/h3>\n\n\n\n<ul><li>Inventory file &#8220;inv_target_nodes_with_pass&#8221;:<br><br>Inventory file with all the hosts and the password on it (we only will use this inventory file to deploy the ssh authorized key, then we can remove it).<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>target_node1 ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=mypassword\ntarget_node2 ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=mypassword<\/code><\/pre>\n\n\n\n<p class=\"has-black-color has-pale-cyan-blue-background-color has-text-color has-background\"><em><span style=\"text-decoration: underline;\"><strong>Note<\/strong><\/span><\/em>: <em>It&#8217;s a good practice to use instead of root, another user that we will only use to connect from ansible. This way we get a good traceability and limit full access.<\/em><\/p>\n\n\n\n<ul><li>Inventory file &#8220;inv_target_nodes_without_pass&#8221;:<br><br>Inventory file with all the hosts and without the ssh password on it, to use it as a permanent inventory file.<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>target_node1\ntarget_node2<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Generate ssh key on ansible server<\/h3>\n\n\n\n<p>To generate the ssh private and public key, we execute the command below on the ansible server machine:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ ssh-keygen<\/code><\/pre>\n\n\n\n<p>Example:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@node_manager:\/# ssh-keygen\n\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/root\/.ssh\/id_rsa): \nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/root\/.ssh\/id_rsa\nYour public key has been saved in \/root\/.ssh\/id_rsa.pub\nThe key fingerprint is:\nSHA256:xxLKUd6HY\/4US5Cal5GFkh0sF\/FS34gKFRTo8D5k+CM root@node_manager\nThe key's randomart image is:\n+---&#91;RSA 3072]----+\n|    *OBo         |\n| . =.=* o o      |\n|  =.+* o o .     |\n| . =+ *          |\n|  =+ + oS        |\n| Eo=o o.o        |\n| ...o=.+         |\n|. o o.+          |\n|+o .....         |\n+----&#91;SHA256]-----+<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Playbook<\/h3>\n\n\n\n<p>add_ssh_authorized_key.yml<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>---\n- name: \"Add ssh authorized key to hosts\"\n  hosts: all\n  gather_facts: no\n\n  vars:\n\n  tasks: \n\n  - name: \"Set authorized key taken from file\"\n    authorized_key:\n      user: root\n      state: present\n      key: \"{{ lookup('file', '\/root\/.ssh\/id_rsa.pub') }}\"<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Execute the Playbook<\/h3>\n\n\n\n<p>Run the following command to deploy the ssh authorized key on all the inventory hosts, such as &#8216;target_node1&#8217; and &#8216;target_node2&#8217;:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@node_manager:\/# ansible-playbook add_ssh_authorized_key.yml -i inv_target_nodes_with_pass\n\nPLAY &#91;Add ssh authorized key to hosts] ************************************************************************************************************************************************\n\nTASK &#91;Set authorized key taken from file] *********************************************************************************************************************************************\nchanged: &#91;target_node2]\nchanged: &#91;target_node1]\n\nPLAY RECAP ****************************************************************************************************************************************************************************\ntarget_node1               : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   \ntarget_node2               : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Check the remote nodes (optional)<\/h3>\n\n\n\n<p>To check if the deployment it was succesfull, we can check it going to each target_node server and executing the command below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@target_node1]# cat \/root\/.ssh\/authorized_keys\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDkJqDzdGuRtE0phEMyRIlERHKtNbKti0SKmzJ6n6V7VgJX61A5fsa5YH8BdH8IPY5g680rfgJonOpceupaxaZWYLQa1zk0rwu0TkYuop1\/JOlwtbsdfhEvTkQEikT+mgkZ\/MYvIiB+ewxE0nCm17RG70\/cZEd5TsOUojDIFaJwNSNMQ2NDO9S1M2xkUvLxYIIUFITf3rCtUA7ZZLciuK7k5z8pJpKdPhTgea8WMnq+jkAKHcsrcfq1KQv9tvRwfUIZ7Eb7f0TiIHKkcJAI6q9hiCuKSPt0hcmL0gw8bOVQPP8mzyidwZenrw3\/ppQKRKWm2n5DkJiU1RiXwuF\/q7Ylpc7FELw3E5JI4XuJyaGj28Z9NhYz5frwZiQkJv8hOHr7gLcK8IWFFJ\/X4gM+HKkIfwixRZLywxN4fgMYVx9CIZRKk0qqz3FJOBrsQH9Fev0\/Xnlq2Wgp1TNrZ1mfK\/FQzsNmpd1avF3JPm8JU1GW+xzxiiQs\/q3E8nznUF4xk78= root@node_manager<\/code><\/pre>\n\n\n\n<p>We can see that the key from the node_manager (our ansible machine) is already in the file on the remote host.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Check the connexion with Ping module<\/h3>\n\n\n\n<p>To check that the connection works without any password in our inventory file we execute the following command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@node_manager# ansible -i inv_target_nodes_without_pass -m ping all\n\ntarget_node1 | SUCCESS =&gt; {\n    \"ansible_facts\": {\n        \"discovered_interpreter_python\": \"\/usr\/libexec\/platform-python\"\n    },\n    \"changed\": false,\n    \"ping\": \"pong\"\n}\ntarget_node2 | SUCCESS =&gt; {\n    \"ansible_facts\": {\n        \"discovered_interpreter_python\": \"\/usr\/libexec\/platform-python\"\n    },\n    \"changed\": false,\n    \"ping\": \"pong\"\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Requirements Inventory file &#8220;inv_target_nodes_with_pass&#8221;: Inventory file with all the hosts and the password on it (we only will use this &hellip; <a href=\"https:\/\/robermb.com\/blog\/geeks\/ansible-distribute-ssh-authorized-key-to-all-inventory\/\" class=\"more-link\">More <span class=\"screen-reader-text\">Ansible: distribute ssh authorized key to all inventory<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1961,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[103,2],"tags":[106,112,126],"_links":{"self":[{"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/posts\/1975"}],"collection":[{"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/comments?post=1975"}],"version-history":[{"count":12,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/posts\/1975\/revisions"}],"predecessor-version":[{"id":2157,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/posts\/1975\/revisions\/2157"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/media\/1961"}],"wp:attachment":[{"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/media?parent=1975"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/categories?post=1975"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/robermb.com\/blog\/wp-json\/wp\/v2\/tags?post=1975"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}