Comments (7)
Hi,
Yes, It's a limitation on ansible side ( http://docs.ansible.com/ansible/authorized_key_module.html :
This option is not loop aware, so if you use with_ , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above. )
But i don't think it's will be fixed soon, so i think it's will be good to have a workaround.
the workaround will be better in the role than earlier as it's will benefict for everybody & it's will prevent issue/error.
Do you think the role can flatten the list to pass them all in a single batch to module authorized_key ?
from ansible-role-authorized-key.
Thank you for using this role!
This is as expected. It's a known limitation of the authorized_key
module.
You should file an issue in the ansible modules project to fix this problem on the fundamental level.
I'm not sure I wan't to implement a workaround in this role. You should never use config management as a security system. Everyone with the rights to alter the file already has root privileges, and can implement a dozen other workarounds to still get into the server. This will only give you a false sense of security.
I'll have a beter look at possible solutions after work, but I won't make promesses about this.
from ansible-role-authorized-key.
Best solution would be to make the exclusive
option a per user thing, and then call the authorized_key
module with a concatenated version of the list if it is set to yes.
But I'm still not convinced it's worth it. The only valid reason I can think of for using the exclusive option is when you use a github link for defining the keys. Because then you are managing keys outside of your config management systemen.
All input/feedback/ideas/opinions welcome!
from ansible-role-authorized-key.
@roumano Any comments?
from ansible-role-authorized-key.
Best solution would be to make the
exclusive
option a per user thing, and then call theauthorized_key
module with a concatenated version of the list if it is set to yes.But I'm still not convinced it's worth it. The only valid reason I can think of for using the exclusive option is when you use a github link for defining the keys. Because then your managing keys outside of your config management systemen.
All input/feedback/ideas/opinions welcome!
I used that solution (concatenation) in the past and it's working fine most the time, but than all the key attributes (key_options,state,etc.) can't be confgured per key, only per user.
from ansible-role-authorized-key.
And because of the question whether the option exclusive
is really useful or not, I would say: Yes.
This is an easy way to make sure that the file contains only the entries you really want.
This also makes the option state: absent
more or less superfluous.
from ansible-role-authorized-key.
The doc specifies the following:
Multiple keys can be specified in a single key string value by separating them by newlines.
[..]
If you want multiple keys in the file you need to pass them all to key in a single batch as mentioned above.
This has lead me, in my own project, with the following extra task:
- name: concat ssh keys
set_fact:
authorized_keys: "{% for f in ssh_keys %}{{ lookup('file', f) }}\n{% endfor %}"
- name: Add ssh pub keys
authorized_key:
...
exclusive: true
key: "{{ authorized_keys }}"
There is only one other limitation, the comment
option now adds the same comment to all keys.
from ansible-role-authorized-key.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-role-authorized-key.