oefenweb / ansible-ssh-keys Goto Github PK

View Code? Open in Web Editor NEW

29.0 7.0 22.0 167 KB

Ansible role to manage ssh keys in Debian-like systems

License: MIT License

Dockerfile 85.38% Jinja 14.62%

ansible ssh-key ssh-server ssh-client debian ubuntu public-private-key

ansible-ssh-keys's Introduction

ssh-keys

Manage ssh public key authentication (public / private / authorized keys and known hosts) in Debian-like systems.

Requirements

None

Variables

ssh_keys_generate_keys: [default: []]: Keys to generate locally
ssh_keys_generate_keys.{n}.path: [required] The local path where the key should be generated
ssh_keys_generate_keys.{n}.cipher: [default: None]: The cipher to encrypt the private key
ssh_keys_generate_keys.{n}.format: [default: OpenSSH]: The format of the public key
ssh_keys_generate_keys.{n}.force: [default: false]: Whether to regenerate the key pair if it already exists
ssh_keys_generate_keys.{n}.owner: [required]: The name of the user that should own the key pair
ssh_keys_generate_keys.{n}.group: [default: owner]: The name of the group that should own the key pair
ssh_keys_generate_keys.{n}.mode: [default: 0600]: The UNIX permission mode bits of the key pair
ssh_keys_generate_keys.{n}.passphrase: [default: '']: The passphrase for the private key
ssh_keys_generate_keys.{n}.size: [default: 4096]: Size in bits of the TLS/SSL key to generate
ssh_keys_generate_keys.{n}.type: [default: RSA]: The algorithm used to generate the private key
ssh_keys_generate_keys_command: [optional, default: _ssh_keys_generate_keys_command]:
ssh_keys_generate_keys_become: [optional, default: false]: Whether or not to use sudo when generating ssh keys (locally)
ssh_keys_private_keys: [default: []]: Private key declarations
ssh_keys_private_keys.{n}.owner: [required]: The name of the user that should own the file
ssh_keys_private_keys.{n}.group: [default: owner]: The name of the group that should own the file
ssh_keys_private_keys.{n}.mode: [default: 0600]: The UNIX permission mode bits of the file
ssh_keys_private_keys.{n}.src: [required]: The local path of the key
ssh_keys_private_keys.{n}.dest: [default: src | basename]: The remote path of the key (relative to home/.ssh/)
ssh_keys_private_keys.{n}.dest_absolute: [optional]: The remote path of the key
ssh_keys_private_keys.{n}.dest_managed: [default: true]: Whether or not the remote path of the key should be created
ssh_keys_private_keys.{n}.state: [default: present]: State
ssh_keys_public_keys: [default: []]: Public key declarations
ssh_keys_public_keys.{n}.owner: [required]: The name of the user that should own the file
ssh_keys_public_keys.{n}.group: [default: owner]: The name of the group that should own the file
ssh_keys_public_keys.{n}.mode: [default: 0644]: The UNIX permission mode bits of the file
ssh_keys_public_keys.{n}.src: [required]: The local path of the key
ssh_keys_public_keys.{n}.dest: [default: src | basename]: The remote path of the key (relative to home/.ssh/)
ssh_keys_public_keys.{n}.dest_absolute: [optional]: The remote path of the key
ssh_keys_public_keys.{n}.dest_managed: [default: true]: Whether or not the remote path of the key should be created
ssh_keys_public_keys.{n}.state: [default: present]: State
ssh_keys_authorized_keys: [default: []]: Authorized key declarations
ssh_keys_authorized_keys.{n}.owner: [required]: The name of the user that should own the file
ssh_keys_authorized_keys.{n}.src: [required]: The local path of the key
ssh_keys_authorized_keys.{n}.state: [optional, default: present]: State
ssh_keys_authorized_keys.{n}.path: [optional, default: authorized_keys]: Authorized keys file (absolute path, default to ~/.ssh/authorized_keys)
ssh_keys_known_hosts: [default: []]: Known hosts declarations
ssh_keys_known_hosts.{n}.hostname: [required]: The hostname
ssh_keys_known_hosts.{n}.enctype: [required]: The type of the fingerprint
ssh_keys_known_hosts.{n}.fingerprint: [required]: The actual fingerprint

Dependencies

None

Example

---
- hosts: all
  roles:
    - oefenweb.ssh-keys
  vars:
    ssh_keys_generate_keys:
      - path: ../../../files/ssh-keys/id_rsa
        comment: RSA key
    ssh_keys_private_keys:
      - owner: root
        src: "{{ playbook_dir }}/files/ssh-keys/id_rsa"
    ssh_keys_public_keys:
      - owner: root
        src: "{{ playbook_dir }}/files/ssh-keys/id_rsa.pub"
    ssh_keys_authorized_keys:
      - owner: root
        src: "{{ playbook_dir }}/files/ssh-keys/id_rsa.pub"
    ssh_keys_known_hosts:
      - hostname: github.com
        enctype: ssh-rsa
        fingerprint: 'AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='

License

MIT

Author Information

Mark van Driel
Mischa ter Smitten

Feedback, bug-reports, requests, ...

Are welcome!

ansible-ssh-keys's People

Contributors

Stargazers

Watchers

ansible-ssh-keys's Issues

authorized_keys ending up in root and not in owner's

What is the problem

When defining multiple users and authorized keys, the keys end up in /root/.ssh/authorized_keys and not in ~/.ssh/authorized_keys

Expected

Keys are added to the coresponding autorized_keys file (in users home dir)

What is happening

Keys end up in root's authorized_keys file and the file is not owned by root but by the last owner of the key

Role version: oefenweb.ssh_keys, v3.0.1
Ansible version: ansible 2.9.6

Steps to reproduce

site.yml

---
- hosts: all
  roles:
    - role: oefenweb.user
    - role: oefenweb.ssh_keys

group_vars/all.yml

---
# User declarations (oefenweb.user)
user_users:
  # ansible for automation
  - name: ansible
    comment: Ansible automation user
    password: xxx
    update_password: always
    append: true
    groups:
      - sudo
      - adm

  - name: user1
    comment: user1
    password: xxxx
    append: true
    groups:
      - sudo
      - adm
    update_password: on_create

  - name: user2
    comment: user2
    password: xxxx
    append: true
    groups:
      - sudo
      - adm
    update_password: on_create

# authorized keys (oefenweb.ssh_keys)
ssh_keys_authorized_keys:
  - owner: ansible
    src: files/keys/ansible-id_rsa.pub
  - owner: user1
    src: files/keys/user1-id_rsa.pub
  - owner: user2
    src: files/keys/user2-id_ecdsa.pub

End result

root@WEB-TEST2:~# ls -la /root/.ssh/authorized_keys 
-rw------- 1 user2 user2 2776 Jul  5 10:32 /root/.ssh/authorized_keys

root@WEB-TEST2:~# wc -l /root/.ssh/authorized_keys 
3 /root/.ssh/authorized_keys

root@WEB-TEST2:~# ls -l /home/ansible/.ssh/
total 0

Debug output

TASK [oefenweb.ssh_keys : authorized-keys | set up for users] *****************************************************************************************************************************************************
task path: /home/zeridon/.ansible/roles/oefenweb.ssh_keys/tasks/authorized-keys.yml:3
ok: [test-web-2] => (item={'owner': 'ansible', 'src': 'files/keys/ansible-id_rsa.pub'}) => {
    "ansible_loop_var": "item",
    "changed": false,
    "comment": null,
    "exclusive": false,
    "follow": false,
    "gid": 1007,
    "group": "user2"
    "invocation": {
        "module_args": {
            "comment": null,
            "exclusive": false,
            "follow": false,
            "key": "ssh-rsa XXXX REDACTED XXXX",
            "key_options": null,
            "keyfile": "/root/.ssh/authorized_keys",
            "manage_dir": true,
            "path": "/root/.ssh/authorized_keys",
            "state": "present",
            "user": "ansible",
            "validate_certs": true
        }
    },
    "item": {
        "owner": "ansible",
        "src": "files/keys/ansible-id_rsa.pub"
    },
    "key": "ssh-rsa XXXX REDACTED XXXX",
    "key_options": null,
    "keyfile": "/root/.ssh/authorized_keys",
    "manage_dir": true,
    "mode": "0600",
    "owner": "user2",
    "path": "/root/.ssh/authorized_keys",
    "size": 2776,
    "state": "file",
    "uid": 1007,
    "user": "ansible",
    "validate_certs": true
}

Task fails with password required notice

output:

failed: [IP] (item={'path': '/home/deploy/.ssh/id_rsa', 'owner': 'deploy'}) => {"ansible_loop_var": "item", "changed": false, "item": {"owner": "deploy", "path": "/home/deploy/.ssh/id_rsa"}, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

config:

    # ssh-keys
    ssh_keys_generate_keys:
      - path: /home/deploy/.ssh/id_rsa
        owner: deploy
    ssh_keys_known_hosts:
      - hostname: github.com
        enctype: ssh-rsa
        fingerprint: 'AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='

Get rid of home property

There's already a username so I don't want to also specify a home directory.

You can obtain a users home directory using getent passwd root | awk -F: '{print $6}', but I could't figure out how to combine that data with ssh_keys_users.{n}

Deprecation warning: include

I get a warning from the use if 'include' which can apparently be replaced by 'import_tasks' or 'include_tasks'.

[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future
release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This feature will be removed in
a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

Private key generation

Any way this can generate a key pair instead of putting private keys in the playbook?

Deprecation warning

Ansible display deprecation warning in some tasks:

TASK [tersmitten.ssh-keys : create ssh directory] ******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.


TASK [tersmitten.ssh-keys : create ssh directory] ******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
 Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.


TASK [tersmitten.ssh-keys : add private keys] **********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.


TASK [tersmitten.ssh-keys : remove private keys] *******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
)

TASK [tersmitten.ssh-keys : add public keys] ***********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
 Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.


TASK [tersmitten.ssh-keys : remove public keys] ********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
 Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.


TASK [tersmitten.ssh-keys : set up authorized_keys for users] ******************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_authorized_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.

I would like to make a private key accessible for a group, but although this option seems to be available in the configuration, it doesn't work caused by the applied permission 600 on private keys. How about read permission for the group when there is a group specified?

In the previous version it was possible to workaround this by doing something like this:

owner: www-data
home: /etc/cacti

Role fails when no authorized_keys specified

Role fails when no authorized_keys specified for a user. Error: could not find 'authorized_keys' key in iterated item