In order for a user to ssh to a remote node, usually some form of authentication such as user credentials, SSH keys, etc are required. However Linux provides provision for password-less authentication too once a remote node is seen as trusted, by having its footprints in the Authorized Hosts file.
Traditional method of password-less SSH is available here:
SSH password-less authentication
This can be automated with the help of Ansible. In the below example there are three nodes involved:
- centos9vm (192.168.48.128) : The ansible server
- centosMYOBvm (192.168.48.129): The managed node to which a user from 3rd node needs to connect
- centos9test1 (192.168.48.132): The third node from which the user needs to access the managed nodes via SSH without password
Let us generate an SSH key pair in centos9test1
[root@centos9test1 ~]# ssh-keygen
====== ===
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:FF5ZmUOAI20Vrn5SIV/1135yB5gGuSBgolAlKajWL9s root@centos9test1
The key’s randomart image is:
+—[RSA 3072]—-+
|o.+o+. ..o*Boo. |
|+..+ o.*+o.++ ..|
|o.. ++oo.=.. +|
|.. . . +.+ o.|
|. . S o . =|
| . . . . oo|
| + o . |
| . E o |
| |
+—-[SHA256]—–+
===== ==
Find the public key generated by the user root:
[root@centos9test1 ~]# cat .ssh/id_rsa.pub
====== ===
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyXyorAlyk7HlHBAGoHpWAnouzWJv6WNOHIWL0bKuIb57cz1Hj63h9aBr61co/4009InESRLByW+LU6ON8pjoxYeJ0FyvojDAgx3WZzs+7eIna/3Avzp6tfVOKcZebiUoqWW5oDZgXLC6ICKbuxuOLEKXYp5/i3oYCBgpyYVhiqeohBQIMKggRuHIl/ARfr9pvbSJacqhqrB7Jfhf3VvuUGMfPglV/+c0Io1vDerfOqtMqZxjwRAkOc0sMsdRqLfIdU7uGq4EC2tvKeo+oWxbTFxwzGRWrW27zhUyT9jYslge9wHoKrPa17dxEUEGjYLosdjQI/trcCIzGgFUmWlHb2DMGPN69HYTsoHymzz6wN+5lEQ8Y3KFL2I38TM16dRdzQhReZ15uhl3j4Yz/Y5MWlDHGxDpDj/ABkbvtAnJIgiZPLLxThzoroxqn8Ayt7WZENEt3tqs+i+1xZelA7EHYJ5Y5xzrJnWLL82GBXhvIbPYX3Z3QfqpE+l1dkPocDDU= root@centos9test1
==== ===
Let us copy the above public key of centos9test1 to a folder in the ansible server
[root@centos9vm ~]# cat pubkeys/ssh_public_key
==== ===
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyXyorAlyk7HlHBAGoHpWAnouzWJv6WNOHIWL0bKuIb57cz1Hj63h9aBr61co/4009InESRLByW+LU6ON8pjoxYeJ0FyvojDAgx3WZzs+7eIna/3Avzp6tfVOKcZebiUoqWW5oDZgXLC6ICKbuxuOLEKXYp5/i3oYCBgpyYVhiqeohBQIMKggRuHIl/ARfr9pvbSJacqhqrB7Jfhf3VvuUGMfPglV/+c0Io1vDerfOqtMqZxjwRAkOc0sMsdRqLfIdU7uGq4EC2tvKeo+oWxbTFxwzGRWrW27zhUyT9jYslge9wHoKrPa17dxEUEGjYLosdjQI/trcCIzGgFUmWlHb2DMGPN69HYTsoHymzz6wN+5lEQ8Y3KFL2I38TM16dRdzQhReZ15uhl3j4Yz/Y5MWlDHGxDpDj/ABkbvtAnJIgiZPLLxThzoroxqn8Ayt7WZENEt3tqs+i+1xZelA7EHYJ5Y5xzrJnWLL82GBXhvIbPYX3Z3QfqpE+l1dkPocDDU= root@centos9test1
==== ===
Let us create a playbook and execute it.
[root@centos9vm ~]# cat authorized_keys.yml
==== ==
– – –
– name: Playbook to add ssh key to authorized_keys file
hosts: 192.168.48.129
tasks:
– name: Task to add ssh key to authorized_keys file
ansible.posix.authorized_key:
user: shiju
state: present
key: “{{ lookup(‘ansible.builtin.file’, ‘pubkeys/ssh_public_key’) }}”
==== ===
[root@centos9vm ~]# ansible-navigator run -m stdout authorized_keys.yml
==== ===
PLAY [Playbook to add ssh key to authorized_keys file] *************************
TASK [Gathering Facts] *********************************************************
ok: [192.168.48.129]
TASK [Task to add ssh key to authorized_keys file] *****************************
changed: [192.168.48.129]
PLAY RECAP *********************************************************************
192.168.48.129 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
==== ===
Now let us go to centos9test1 (192.168.48.132) and see if we can ssh to 192.168.48.129 as shiju without getting prompted to enter the password.
[root@centos9test1 ~]# ssh shiju@192.168.48.129
==== ===
Last login: Thu May 2 15:42:36 2024 from 192.168.48.132
[shiju@centosMYOBvm ~]$
===== ==