grog / ansible-role-authorized-key Goto Github PK

View Code? Open in Web Editor NEW

25.0 4.0 7.0 13 KB

Ansible role for managing authorized keys.

Home Page: https://galaxy.ansible.com/GROG/authorized-key

License: MIT License

ansible-role-authorized-key's Introduction

Authorized-key

A role for managing authorized keys.

Following roles where designed to neatly work together with this role:

user, for managing users.
sudo, for managing sudo rights.

The management-user role combines all these roles in one easy to use role.

Requirements

Hosts should be bootstrapped for ansible usage (have python,...)
Root privileges, eg become: yes

Role Variables

Variable	Description	Default value
`authorized_key_list`	List of users and their keys (see details!)	`[]`
`authorized_key_list_host`	List of users and their keys (see details!)	`[]`
`authorized_key_list_group`	List of users and their keys (see details!)	`[]`
`authorized_key_exclusive`	Default value for `exclusive`	`no`
`authorized_key_key_options`	Default value for `key_options`	/
`authorized_key_manage_dir`	Default value for `manage_dir`	`yes`
`authorized_key_state`	Default value for `state`	`present`

`authorized_key_list` details

authorized_key_list, authorized_key_list_host and authorized_key_list_group are merged when managing the authorized keys. You can use the host and group lists to specify keys per host or group off hosts.

The authorized-key list allows you to define which users and there keys must be managed. Each item in the list consists of a username and a list of keys.

Variable	Description	Default
`name`	User name	/
`authorized_keys`	List of keys	/

Each key in the list of authorized_keys can have following attributes:

Variable	Description	Required	Default
`exclusive`	Should this key be exclusive?	no	`authorized_key_exclusive`
`key`	SSH key	yes	/
`key_options`	SSH key options to prepend to key	no	/
`manage_dir`	Manage the authorized_keys directory?	no	`authorized_key_manage_dir`
`path`	Path for the SSH key	no	'home_dir/.ssh/authorized_keys'
`state`	State of the key (present/absent)	no	`authorized_key_state`

Example `authorized_key_list`

authorized_key_list:
  - name: testuser1
    authorized_keys:
      - key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"
      - key: "{{ lookup('file', '/home/john/.ssh/id_rsa.pub') }}"
        state: absent
  - name: testuser2
    authorized_keys:
      - key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"

Dependencies

None.

Example Playbook

---
- hosts: servers
  roles:
  - { role: GROG.authorized-key, become: yes }

Inside group_vars/servers.yml:

authorized_key_list_group:
  - name: user
    authorized_keys:
      - key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"
      - key: "{{ lookup('file', '/home/john/.ssh/id_rsa.pub') }}"

Contributing

All assistance, changes or ideas welcome!

Author

By G. Roggemans

License

MIT

ansible-role-authorized-key's People

Contributors

Stargazers

Watchers

Forkers

islammohamed mario21ic adhanowa markopolo123 blackcobra1973 knorrkator kkonnov

ansible-role-authorized-key's Issues

Template error while templating string

ASK [GROG.authorized-key : Manage authorized keys] *********************************************************************************************************************************************************************************************
task path: /private/etc/ansible/roles/GROG.authorized-key/tasks/main.yml:3
fatal: [10.82.136.9]: FAILED! => {
"failed": true,
"msg": "{{ authorized_key_list + authorized_key_list_host + authorized_key_list_group }}: [{u'authorized_keys': [{u'key': u"{{ lookup('file', 'files/user.keys) }}"}], u'name': u'user'}]: template error while templating string: unexpected char u"'" at 18. String: {{ lookup('file', 'files/user.keys) }}"
}
fatal: [10.104.136.14]: FAILED! => {
"failed": true,
"msg": "{{ authorized_key_list + authorized_key_list_host + authorized_key_list_group }}: [{u'authorized_keys': [{u'key': u"{{ lookup('file', 'files/user.keys) }}"}], u'name': u'user'}]: template error while templating string: unexpected char u"'" at 18. String: {{ lookup('file', 'files/user.keys) }}"
}
fatal: [10.3.8.5]: FAILED! => {
"failed": true,
"msg": "{{ authorized_key_list + authorized_key_list_host + authorized_key_list_group }}: [{u'authorized_keys': [{u'key': u"{{ lookup('file', 'files/user.keys) }}"}], u'name': u'user'}]: template error while templating string: unexpected char u"'" at 18. String: {{ lookup('file', 'files/user.keys) }}"
}

ssh-keys.yaml:

---
- hosts: azure
  roles:
    - { role: GROG.authorized-key, become: yes }

servers.yaml

authorized_key_list_group:
  - name: egilb1
    authorized_keys:
      - key: "{{ lookup('file', 'files/egilb1.keys) }}"

files/user.keys is in the dir I'm running the playbook from, so the path is relative.

exclusive option with several key not working

exclusive option is not working as exepected for me
maybe linked to this :
http://docs.ansible.com/ansible/authorized_key_module.html
say :
This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.

i want to manage root ssh key (only used for emergency issue) for several user but i want/need to be sure, no other person can connect as root with ssh keys
I have create :
authorized_key_list:

name: root
- key: "ssh-rsa ssh_user2_key1"
- key: "ssh-rsa ssh_user2_key1"
  authorized_key_list_group:
name: root
authorized_keys:
- key: "ssh-rsa ssh_user3_key1"

so if

i set "authorized_key_exclusive: no" and exclusive: no,
anyone can edit manually the root ssh key and this ansible role will not change it or even detect it
i add authorized_key_exclusive: yes
i get only the ssh-rsa ssh_user3_key1 in my root account
if i add exclusive: yes on first ssh key ( aka "ssh-rsa ssh_user2_key1")
it's always recreate the root ssh keys and the result will be always "changed=1"

AttributeError: 'module' object has no attribute 'HTTPSConnection'

On a fresh opensuse 15.1 installation i get an AttributeError.
Another opensuse 15.1 installation works flawlessly.
Any clue what kind of dependency is missing?

thanks!

The full traceback is:
Traceback (most recent call last):
File "", line 114, in
File "", line 106, in _ansiballz_main
File "", line 49, in invoke_module
File "/tmp/ansible_authorized_key_payload_4oX_0b/main.py", line 230, in
File "/tmp/ansible_authorized_key_payload_4oX_0b/ansible_authorized_key_payload.zip/ansible/module_utils/urls.py", line 402, in
AttributeError: 'module' object has no attribute 'HTTPSConnection'

failed: [test] (item=[{'name': 'acb'}, {'key': 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFS3XxUR92/mvUnjDgYBW7tUl0sp6uT28WG9CzIIPQXP 20190710 - harkonnen - kallisti'}]) => {
"ansible_loop_var": "item",
"changed": false,
"item": [
{
"name": "acb"
},
{
"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFS3XxUR92/mvUnjDgYBW7tUl0sp6uT28WG9CzIIPQXP 20190710 - harkonnen - kallisti"
}
],
"module_stderr": "Traceback (most recent call last):\n File "", line 114, in \n File "", line 106, in _ansiballz_main\n File "", line 49, in invoke_module\n File "/tmp/ansible_authorized_key_payload_4oX_0b/main.py", line 230, in \n File "/tmp/ansible_authorized_key_payload_4oX_0b/ansible_authorized_key_payload.zip/ansible/module_utils/urls.py", line 402, in \nAttributeError: 'module' object has no attribute 'HTTPSConnection'\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}