oefenweb / ansible-ssh-keys Goto Github PK
View Code? Open in Web Editor NEWAnsible role to manage ssh keys in Debian-like systems
License: MIT License
ansible-ssh-keys's People
Contributors
Stargazers
Watchers
Forkers
mvdriel nlware txx cloudrkt melsporty7 bobiwembley jswetzen spmechanic nkakouros-forks imolazhp n1ngu pgotsis rigelan verboese zeridon ortondar dsteinkopf maksold minh-vu-kma mmorster acloserview qikiqiansible-ssh-keys's Issues
Group option for private keys
I would like to make a private key accessible for a group, but although this option seems to be available in the configuration, it doesn't work caused by the applied permission 600 on private keys. How about read permission for the group when there is a group specified?
In the previous version it was possible to workaround this by doing something like this:
owner: www-data
home: /etc/cacti
Deprecation warning
Ansible display deprecation warning in some tasks:
TASK [tersmitten.ssh-keys : create ssh directory] ******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
TASK [tersmitten.ssh-keys : create ssh directory] ******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
TASK [tersmitten.ssh-keys : add private keys] **********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
TASK [tersmitten.ssh-keys : remove private keys] *******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
)
TASK [tersmitten.ssh-keys : add public keys] ***********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
TASK [tersmitten.ssh-keys : remove public keys] ********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
TASK [tersmitten.ssh-keys : set up authorized_keys for users] ******************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_authorized_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
authorized_keys ending up in root and not in owner's
What is the problem
When defining multiple users and authorized keys, the keys end up in /root/.ssh/authorized_keys and not in ~/.ssh/authorized_keys
Expected
Keys are added to the coresponding autorized_keys file (in users home dir)
What is happening
Keys end up in root's authorized_keys file and the file is not owned by root but by the last owner of the key
Role version: oefenweb.ssh_keys, v3.0.1
Ansible version: ansible 2.9.6
Steps to reproduce
site.yml
---
- hosts: all
roles:
- role: oefenweb.user
- role: oefenweb.ssh_keys
group_vars/all.yml
---
# User declarations (oefenweb.user)
user_users:
# ansible for automation
- name: ansible
comment: Ansible automation user
password: xxx
update_password: always
append: true
groups:
- sudo
- adm
- name: user1
comment: user1
password: xxxx
append: true
groups:
- sudo
- adm
update_password: on_create
- name: user2
comment: user2
password: xxxx
append: true
groups:
- sudo
- adm
update_password: on_create
# authorized keys (oefenweb.ssh_keys)
ssh_keys_authorized_keys:
- owner: ansible
src: files/keys/ansible-id_rsa.pub
- owner: user1
src: files/keys/user1-id_rsa.pub
- owner: user2
src: files/keys/user2-id_ecdsa.pub
End result
root@WEB-TEST2:~# ls -la /root/.ssh/authorized_keys
-rw------- 1 user2 user2 2776 Jul 5 10:32 /root/.ssh/authorized_keys
root@WEB-TEST2:~# wc -l /root/.ssh/authorized_keys
3 /root/.ssh/authorized_keys
root@WEB-TEST2:~# ls -l /home/ansible/.ssh/
total 0
Debug output
TASK [oefenweb.ssh_keys : authorized-keys | set up for users] *****************************************************************************************************************************************************
task path: /home/zeridon/.ansible/roles/oefenweb.ssh_keys/tasks/authorized-keys.yml:3
ok: [test-web-2] => (item={'owner': 'ansible', 'src': 'files/keys/ansible-id_rsa.pub'}) => {
"ansible_loop_var": "item",
"changed": false,
"comment": null,
"exclusive": false,
"follow": false,
"gid": 1007,
"group": "user2"
"invocation": {
"module_args": {
"comment": null,
"exclusive": false,
"follow": false,
"key": "ssh-rsa XXXX REDACTED XXXX",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": "/root/.ssh/authorized_keys",
"state": "present",
"user": "ansible",
"validate_certs": true
}
},
"item": {
"owner": "ansible",
"src": "files/keys/ansible-id_rsa.pub"
},
"key": "ssh-rsa XXXX REDACTED XXXX",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"mode": "0600",
"owner": "user2",
"path": "/root/.ssh/authorized_keys",
"size": 2776,
"state": "file",
"uid": 1007,
"user": "ansible",
"validate_certs": true
}
Private key generation
Any way this can generate a key pair instead of putting private keys in the playbook?
Deprecation warning: include
I get a warning from the use if 'include' which can apparently be replaced by 'import_tasks' or 'include_tasks'.
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future
release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This feature will be removed in
a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
Role fails when no authorized_keys specified
Role fails when no authorized_keys specified for a user. Error: could not find 'authorized_keys' key in iterated item
Task fails with password required notice
output:
failed: [IP] (item={'path': '/home/deploy/.ssh/id_rsa', 'owner': 'deploy'}) => {"ansible_loop_var": "item", "changed": false, "item": {"owner": "deploy", "path": "/home/deploy/.ssh/id_rsa"}, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}config:
# ssh-keys
ssh_keys_generate_keys:
- path: /home/deploy/.ssh/id_rsa
owner: deploy
ssh_keys_known_hosts:
- hostname: github.com
enctype: ssh-rsa
fingerprint: 'AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='Get rid of home property
There's already a username so I don't want to also specify a home directory.
You can obtain a users home directory using getent passwd root | awk -F: '{print $6}', but I could't figure out how to combine that data with ssh_keys_users.{n}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.