Ansible SSH Setup Playbook. Tuesday, January 14, 2014 - 23:15. It is best practice to use Ansible with SSH keys in order to create the SSH connections to the servers. This does require a little bit of extra setup before hand in order to ensure that the server can be reached by Ansible via SSH keys alone. As I have been doing this quite a lot recently I decided to package the setup steps into an Ansible playbook. When you first set up a Linux server you will find that you are usually given root access, and it is up to you to configure it after the fact in order to have an administrator user with the correct access. With this root user we will use Ansible to log into the host, create a new user, setup SSH key access and then alter the sudoers file so that the new user can perform Ansible tasks. Assuming that the host we want to configure has an IP address of 10.0.0.1 we can create an inventory file that looks like the following. As we don't have SSH key access we need to tell Ansible to use an alternative method. The ansible_ssh_user parameter tells Ansible which user to login as and ansible_ssh_pass tells Ansible what the users password is. Those of you who know something about Ansible might wonder why you would pass the password to Ansilbe using the ansible_ssh_pass parameter and not the --ask-pass flag on the command line. The reason is that --ask-pass will only take in a single password and pass this to all hosts. This is fine if every host in your inventory file has the same root password, but I'm guessing that this is probably not the case. The idea here is that you can spend some time setting up your virtual machines and then plug them into this setup playbook in order to get them to a minimal level for Ansible provisioning. Once done you can continue on to your other playbooks to provision the Ansible hosts accordingly. In order to use the ansible_ssh_pass parameter you first need to install the sshpass program. This allows you to send passwords to SSH commands, and Ansible utilises this program to send passwords to it's own connections. If you are on Ubuntu you can install sshpass like this. sudo apt-get install sshpass. If you try to connect with Ansible now you might get an authentication failed message, even if the password is correct. This is because your local system is trying to ask if you want to store a key check of the host you are connecting to, which gets in the way of Ansible trying to connect. To disable the host key check you need to create a file called (in the same folder as your inventory file) and add the following. The file is automatically picked up by Ansible and is used to set certain Ansible configuration options. In this case we are turning off host key checking and allowing Ansible to connect to the host without asking if it should add the host key to the list of known hosts. Before setting up the playbook you first need to create an ssh key that will be used to setup the connection. This can be done with the ssh-keygen command in the usual manner. Once created, place the key into the same directory as the Ansible script. Just remember not to commit them into any source control systems, especially if they are public repositories. After this you are ready to create a setup playbook that will put the ssh key on the server. This playbook will run using the connection details in the file created above. This playbook will run through the following actions. Create a user on the remote host. The name of this user is defined at the top of the playbook as a variable. Set the password for the user created. This is mainly so this use has a full presence on the server and can also be used to test commands on the server before porting them back into Ansible playbooks. Again, the password is set using a variable at the top of the playbook. Use the authorized_key Ansible module to copy the public ssh key (kept in the same folder as the Ansible project) and place it on the server in the file. After this step it is possible to connect to the server using the ssh keys alone. There is still one step left to do though. The final step is to allow the 'ansibleremote' user to complete 'sudo' actions on the remote host without needing to enter a password. We do this by adding a line to the /etc/sudoers file. Here is the setup playbook in full. Submitted by Dave (not verified) on Mon, 08/18/2014 - 03:49 Permalink. Thanks, this is useful. ansible has a module for setting up users: That will resolve some or all of the linux flavor issues you're having doing this by hand. Also, you wouldn't want to check this playbook into version control with passwords specified. Among other solutions, you could prompt the user for the password when the playbook runs using vars_prompt. Submitted by Goll (not verified) on Thu, 04/02/2015 - 20:40 Permalink. I did this on my laptop running Fedora 21 and applied this playbook on a CentOS 6 machine. I didn't need this 'sshpass' tool. Maybe it's just for osx and Ubuntu machines as that is what I've tried this on. Submitted by tom (not verified) on Thu, 01/07/2016 - 09:24 Permalink. hi philip i am having this error. fatal: [192.168.1.10] = Missing become password. FATAL: all hosts have already failed -- aborting what to do. Looks like you aren't supplying the sudo password. 'become' is the new 'sudo' feature in Ansible that elevates your user permissions so maybe it isn't getting the right variables. authorized_key Use manage_dir= yes instead of manage_dir=no If set, the module will create the directory, as well as set the owner and permissions of an existing directory. With strict sshd servers ansibleremote can't login passwordless because the keys aren't accepted. sshd debug3: secure_filename: checking Authentication refused: bad ownership or modes for directory debug1: restore_uid: 0/0 Failed publickey for ansibleremote from. Add new comment.
PREVIOUS NEXT