oefenweb / ansible-ssh-keys Goto Github PK
View Code? Open in Web Editor NEWAnsible role to manage ssh keys in Debian-like systems
License: MIT License
Ansible role to manage ssh keys in Debian-like systems
License: MIT License
I would like to make a private key accessible for a group, but although this option seems to be available in the configuration, it doesn't work caused by the applied permission 600 on private keys. How about read permission for the group when there is a group specified?
In the previous version it was possible to workaround this by doing something like this:
owner: www-data
home: /etc/cacti
Ansible display deprecation warning in some tasks:
TASK [tersmitten.ssh-keys : create ssh directory] ******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
TASK [tersmitten.ssh-keys : create ssh directory] ******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
TASK [tersmitten.ssh-keys : add private keys] **********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
TASK [tersmitten.ssh-keys : remove private keys] *******************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_private_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
)
TASK [tersmitten.ssh-keys : add public keys] ***********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
TASK [tersmitten.ssh-keys : remove public keys] ********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_public_keys}}').
This feature will be removed in a future release.
Deprecation warnings can be disabled by setting deprecation_warnings=False in
ansible.cfg.
TASK [tersmitten.ssh-keys : set up authorized_keys for users] ******************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your
playbooks so that the environment value uses the full variable syntax
('{{ssh_keys_authorized_keys}}').
This feature will be removed in a future
release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
When defining multiple users and authorized keys, the keys end up in /root/.ssh/authorized_keys and not in ~/.ssh/authorized_keys
Keys are added to the coresponding autorized_keys file (in users home dir)
Keys end up in root's authorized_keys file and the file is not owned by root but by the last owner of the key
Role version: oefenweb.ssh_keys, v3.0.1
Ansible version: ansible 2.9.6
site.yml
---
- hosts: all
roles:
- role: oefenweb.user
- role: oefenweb.ssh_keys
group_vars/all.yml
---
# User declarations (oefenweb.user)
user_users:
# ansible for automation
- name: ansible
comment: Ansible automation user
password: xxx
update_password: always
append: true
groups:
- sudo
- adm
- name: user1
comment: user1
password: xxxx
append: true
groups:
- sudo
- adm
update_password: on_create
- name: user2
comment: user2
password: xxxx
append: true
groups:
- sudo
- adm
update_password: on_create
# authorized keys (oefenweb.ssh_keys)
ssh_keys_authorized_keys:
- owner: ansible
src: files/keys/ansible-id_rsa.pub
- owner: user1
src: files/keys/user1-id_rsa.pub
- owner: user2
src: files/keys/user2-id_ecdsa.pub
root@WEB-TEST2:~# ls -la /root/.ssh/authorized_keys
-rw------- 1 user2 user2 2776 Jul 5 10:32 /root/.ssh/authorized_keys
root@WEB-TEST2:~# wc -l /root/.ssh/authorized_keys
3 /root/.ssh/authorized_keys
root@WEB-TEST2:~# ls -l /home/ansible/.ssh/
total 0
TASK [oefenweb.ssh_keys : authorized-keys | set up for users] *****************************************************************************************************************************************************
task path: /home/zeridon/.ansible/roles/oefenweb.ssh_keys/tasks/authorized-keys.yml:3
ok: [test-web-2] => (item={'owner': 'ansible', 'src': 'files/keys/ansible-id_rsa.pub'}) => {
"ansible_loop_var": "item",
"changed": false,
"comment": null,
"exclusive": false,
"follow": false,
"gid": 1007,
"group": "user2"
"invocation": {
"module_args": {
"comment": null,
"exclusive": false,
"follow": false,
"key": "ssh-rsa XXXX REDACTED XXXX",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": "/root/.ssh/authorized_keys",
"state": "present",
"user": "ansible",
"validate_certs": true
}
},
"item": {
"owner": "ansible",
"src": "files/keys/ansible-id_rsa.pub"
},
"key": "ssh-rsa XXXX REDACTED XXXX",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"mode": "0600",
"owner": "user2",
"path": "/root/.ssh/authorized_keys",
"size": 2776,
"state": "file",
"uid": 1007,
"user": "ansible",
"validate_certs": true
}
Any way this can generate a key pair instead of putting private keys in the playbook?
I get a warning from the use if 'include' which can apparently be replaced by 'import_tasks' or 'include_tasks'.
[DEPRECATION WARNING]: The use of 'include' for tasks has been deprecated. Use 'import_tasks' for static inclusions or 'include_tasks' for dynamic inclusions. This feature will be removed in a future
release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: include is kept for backwards compatibility but usage is discouraged. The module documentation details page may explain more about this rationale.. This feature will be removed in
a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
Role fails when no authorized_keys specified for a user. Error: could not find 'authorized_keys' key in iterated item
output:
failed: [IP] (item={'path': '/home/deploy/.ssh/id_rsa', 'owner': 'deploy'}) => {"ansible_loop_var": "item", "changed": false, "item": {"owner": "deploy", "path": "/home/deploy/.ssh/id_rsa"}, "module_stderr": "sudo: a password is required\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
config:
# ssh-keys
ssh_keys_generate_keys:
- path: /home/deploy/.ssh/id_rsa
owner: deploy
ssh_keys_known_hosts:
- hostname: github.com
enctype: ssh-rsa
fingerprint: 'AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=='
There's already a username so I don't want to also specify a home directory.
You can obtain a users home directory using getent passwd root | awk -F: '{print $6}'
, but I could't figure out how to combine that data with ssh_keys_users.{n}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.