exclusive option with several key not working about ansible-role-authorized-key HOT 7 OPEN

Hi,
Yes, It's a limitation on ansible side ( http://docs.ansible.com/ansible/authorized_key_module.html :
This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above. )

But i don't think it's will be fixed soon, so i think it's will be good to have a workaround.
the workaround will be better in the role than earlier as it's will benefict for everybody & it's will prevent issue/error.

Do you think the role can flatten the list to pass them all in a single batch to module authorized_key ?

from ansible-role-authorized-key.

Thank you for using this role!

This is as expected. It's a known limitation of the authorized_key module.
You should file an issue in the ansible modules project to fix this problem on the fundamental level.

I'm not sure I wan't to implement a workaround in this role. You should never use config management as a security system. Everyone with the rights to alter the file already has root privileges, and can implement a dozen other workarounds to still get into the server. This will only give you a false sense of security.

I'll have a beter look at possible solutions after work, but I won't make promesses about this.

from ansible-role-authorized-key.

Best solution would be to make the exclusive option a per user thing, and then call the authorized_key module with a concatenated version of the list if it is set to yes.

But I'm still not convinced it's worth it. The only valid reason I can think of for using the exclusive option is when you use a github link for defining the keys. Because then you are managing keys outside of your config management systemen.

All input/feedback/ideas/opinions welcome!

from ansible-role-authorized-key.

@roumano Any comments?

from ansible-role-authorized-key.

Best solution would be to make the exclusive option a per user thing, and then call the authorized_key module with a concatenated version of the list if it is set to yes.

But I'm still not convinced it's worth it. The only valid reason I can think of for using the exclusive option is when you use a github link for defining the keys. Because then your managing keys outside of your config management systemen.

All input/feedback/ideas/opinions welcome!

I used that solution (concatenation) in the past and it's working fine most the time, but than all the key attributes (key_options,state,etc.) can't be confgured per key, only per user.

from ansible-role-authorized-key.

And because of the question whether the option exclusive is really useful or not, I would say: Yes.

This is an easy way to make sure that the file contains only the entries you really want.
This also makes the option state: absent more or less superfluous.

from ansible-role-authorized-key.

The doc specifies the following:

Multiple keys can be specified in a single key string value by separating them by newlines.
[..]
If you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.

This has lead me, in my own project, with the following extra task:

- name: concat ssh keys
  set_fact:
    authorized_keys: "{% for f in ssh_keys %}{{ lookup('file', f) }}\n{% endfor %}"

- name: Add ssh pub keys
  authorized_key:
    ...
    exclusive: true
    key: "{{ authorized_keys }}"

There is only one other limitation, the comment option now adds the same comment to all keys.

from ansible-role-authorized-key.