Ansible Generate_ssh_key Module
While working on a project, I noticed I needed to generate SSH keys using Ansible to configure my Ubuntu servers. Usually I would do that with the help of ssh-keygen That could indeed take the form of a shell task. But I always attempt to find an Ansible module that would do that in a neater way Here’s a couple of options I’ve found. According to Ansible's docs on Lookups. Lookups occur on the local computer, not on the remote computer. So Ansible is attempting to find your users' keys on 'Ansible Server'. Personally I wouldn't use the generatesshkey parameter in your user task. Each user will have a different key for each server.
Mar 02, 2016 Ansible generate SSH key. GitHub Gist: instantly share code, notes, and snippets. Skip to content. All gists Back to GitHub. Sign in Sign up Instantly share code, notes, and snippets. Nailgun / sshkey.yml. Created Mar 2, 2016. Star 4 Fork 0; Code Revisions 1 Stars 4. Oct 13, 2017 ISSUE TYPE Bug Report COMPONENT NAME authorizedkey ANSIBLE VERSION 2.4 SUMMARY Ansible 2.4 seems to have a bug with authorizedkey module. Here the code. Name: generate key user: name: linh5847 cr. Oct 12, 2018 In this blog we will Setup SSH Key and initial user using Ansible Playbook. To create new user on ubuntu system, you need the following things. Generate ssh-key for this.
Contents
- 2 Getting started
- 2.1 Create and run your first playbook
- 3 Creating User accounts
- 4 Automate adding ssh keys to user accounts
- 5 Use lineinfile to update /etc/sudoers for passwordless sudo
We are going to use Ansible to create user accounts and add users to groups, setup them up with access via ssh using by adding their public keys to authorized_key files. For the minimum version of this task we are just going to do four things:
- Create a list of user names
- Create a user account for each user name.
- Add each user’s ssh public key to the account
- Modify
/etc/sudoersso the users can usesudowithout entering a password
The guide has been tested using a new Digital Ocean Ubuntu 17.04 Droplet on the cheapest plan, and everything runs as root when connected to the server via ssh or console (Such as with Digital Ocean’s Console option on the control panel)
For this guide we are going to setup the playbook to run a server directly, using the “local” connection method so when run as root we don’t need to worry about additional authentication or setting up host inventories.
Install Ansible
To get Ansible installed you can just run apt-get install ansible which will install version 2.2. Or check out the Ansible documentation if you want to get the latest version.
Create and run your first playbook
To check everything is working as it should, it’s best to run a barebones playbook with just a ping task which will check your setup using the simplest version of a playbook possible.
Create a file called users.yml with the following snippet, and run it with ansible-playbook users.yml
Don’t worry about the [WARNING]: provided hosts list is empty, only localhost is available message, we are only working with localhost so this is to be expected.
users.yml
Watch it run
Adding a list of users to the playbook vars
At the top of the playbook, we add a simple list of usernames.
vars
Full users.yml
Now we have a list of usernames in a variable, we can use that to create user accounts.
In it’s simplest form the Ansible User Module just needs to be given a name, and we can use the with_items to apply our list to the module in a loop.
When using with_items the value becomes available as item, in it’s simplest form you '{{ item }}' will use the item value for a module property.
So our users are more useful, we are also going to add the groups admin and www-data to each user.
user task
Full file
Watch it run
The newly created user accounts on a server don’t have passwords set, so to be able to log in we need to add each users ssh key to their authorize_keys file. We can do this using Ansible’s Authorized Key Moduleauthorized_key that takes user and a file in key.
key takes a file, which can be loaded using the lookup('file','path to file') function. In this code, we put the public SSH keys in files/username.key.pub. By having the file names match to the username we can use the same users var for the loop without needing to add additional parameters at this stage.
authorized_key task
Dir contents
Full users.yml
Watch it run
Now your users can login with their ssh keys, but won’t be able to do any server admin with sudo because without passwords set, they can’t enter their password when prompted when they use the command as per the default behaviour. To get around this limitation, we can update /etc/sudoers with Ansible’s lineinfile Module.
This simple implementation of the lineinfile looks for a line starting with – represented in a regexp as ^ – with the string %admin and then ensures it matches the line%admin ALL=(ALL) NOPASSWD: ALL
Once in place, any users in the admin group will no longer be prompted for a password when using sudo
lineinfile task
Full users.yml
Ansible Use Ssh Key
Next Steps: Creating a Viable Version
The next part of this guide steps up to the Viable version, by defining expanding the vars to have multiple properties per item using complex vars to add groups per user, using user state for a method to disable users accounts. The improved playbook also introduces handlers and notify to restart services when the configuration changes. Improve the user management playbook in the next guide.
- Adds or removes SSH authorized keys for particular user accounts.
| Parameter | Choices/Defaults | Comments |
|---|---|---|
| comment string | Change the comment on the public key. Rewriting the comment is useful in cases such as fetching it from GitHub or GitLab. If no comment is specified, the existing comment will be kept. | |
| exclusive boolean |
| Whether to remove all other non-specified keys from the authorized_keys file. Multiple keys can be specified in a single key string value by separating them by newlines.This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop.If you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above. |
| follow boolean |
| |
| key | The SSH public key(s), as a string or (since Ansible 1.9) url (https://github.com/username.keys). | |
| key_options - | A string of ssh key options to be prepended to the key in the authorized_keys file. | |
| manage_dir boolean |
| Whether this module should manage the directory of the authorized key file. If set to yes, the module will create the directory, as well as set the owner and permissions of an existing directory.Be sure to set manage_dir=no if you are using an alternate directory for authorized_keys, as set with path, since you could lock yourself out of SSH access. |
| path | Alternate path to the authorized_keys file. When unset, this value defaults to ~/.ssh/authorized_keys. | |
| state string |
| Whether the given key (with the given key_options) should or should not be in the file. |
| user string / required | The username on the remote host whose authorized_keys file will be modified. | |
| validate_certs boolean |
| This only applies if using a https url as the source of the keys. If set to no, the SSL certificates will not be validated.This should only set to no used on personally controlled sites using self-signed certificates as it avoids verifying the source site.Prior to 2.1 the code worked as if this was set to yes. |
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| exclusive boolean | success | If the key has been forced to be exclusive or not. |
| key string | success | Sample: |
| key_option | success | Key options related to the key. |
| keyfile string | success | Sample: |
| manage_dir | success | Whether this module managed the directory of the authorized key file. True |
| path string | success | |
| state | success | Whether the given key (with the given key_options) should or should not be in the file present |
| unique boolean | success | |
| user | success | The username on the remote host whose authorized_keys file will be modified user |
| validate_certs boolean | success | This only applies if using a https url as the source of the keys. If set to no, the SSL certificates will not be validated.True |
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Core Team. [core]
Red Hat Support¶
More information about Red Hat’s support of this module is available from this Red Hat Knowledge Base article.
Authors¶
- Ansible Core Team
Ansible Generate_ssh_key Module Download
Hint
Ansible Add Ssh Key
If you notice any issues in this documentation, you can edit this document to improve it.