Ansible: The Authorized Key Module

Ansible_Logo

In order for a user to ssh to a remote node, usually some form of authentication such as user credentials, SSH keys, etc are required. However Linux provides provision for password-less authentication too once a remote node is seen as trusted, by having its footprints in the Authorized Hosts file.

Traditional method of password-less SSH is available here:

This can be automated with the help of Ansible. In the below example there are three nodes involved:

  • centos9vm (192.168.48.128) : The ansible server
  • centosMYOBvm (192.168.48.129): The managed node to which a user from 3rd node needs to connect
  • centos9test1 (192.168.48.132): The third node from which the user needs to access the managed nodes via SSH without password

Let us generate an SSH key pair in centos9test1

[root@centos9test1 ~]# ssh-keygen

====== ===
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:FF5ZmUOAI20Vrn5SIV/1135yB5gGuSBgolAlKajWL9s root@centos9test1
The key’s randomart image is:
+—[RSA 3072]—-+
|o.+o+. ..o*Boo. |
|+..+ o.*+o.++ ..|
|o.. ++oo.=.. +|
|.. . . +.+ o.|
|. . S o . =|
| . . . . oo|
| + o . |
| . E o |
| |
+—-[SHA256]—–+

===== ==

Find the public key generated by the user root:

[root@centos9test1 ~]# cat .ssh/id_rsa.pub

====== ===
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyXyorAlyk7HlHBAGoHpWAnouzWJv6WNOHIWL0bKuIb57cz1Hj63h9aBr61co/4009InESRLByW+LU6ON8pjoxYeJ0FyvojDAgx3WZzs+7eIna/3Avzp6tfVOKcZebiUoqWW5oDZgXLC6ICKbuxuOLEKXYp5/i3oYCBgpyYVhiqeohBQIMKggRuHIl/ARfr9pvbSJacqhqrB7Jfhf3VvuUGMfPglV/+c0Io1vDerfOqtMqZxjwRAkOc0sMsdRqLfIdU7uGq4EC2tvKeo+oWxbTFxwzGRWrW27zhUyT9jYslge9wHoKrPa17dxEUEGjYLosdjQI/trcCIzGgFUmWlHb2DMGPN69HYTsoHymzz6wN+5lEQ8Y3KFL2I38TM16dRdzQhReZ15uhl3j4Yz/Y5MWlDHGxDpDj/ABkbvtAnJIgiZPLLxThzoroxqn8Ayt7WZENEt3tqs+i+1xZelA7EHYJ5Y5xzrJnWLL82GBXhvIbPYX3Z3QfqpE+l1dkPocDDU= root@centos9test1

==== ===

Let us copy the above public key of centos9test1 to a folder in the ansible server

[root@centos9vm ~]# cat pubkeys/ssh_public_key

==== ===
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyXyorAlyk7HlHBAGoHpWAnouzWJv6WNOHIWL0bKuIb57cz1Hj63h9aBr61co/4009InESRLByW+LU6ON8pjoxYeJ0FyvojDAgx3WZzs+7eIna/3Avzp6tfVOKcZebiUoqWW5oDZgXLC6ICKbuxuOLEKXYp5/i3oYCBgpyYVhiqeohBQIMKggRuHIl/ARfr9pvbSJacqhqrB7Jfhf3VvuUGMfPglV/+c0Io1vDerfOqtMqZxjwRAkOc0sMsdRqLfIdU7uGq4EC2tvKeo+oWxbTFxwzGRWrW27zhUyT9jYslge9wHoKrPa17dxEUEGjYLosdjQI/trcCIzGgFUmWlHb2DMGPN69HYTsoHymzz6wN+5lEQ8Y3KFL2I38TM16dRdzQhReZ15uhl3j4Yz/Y5MWlDHGxDpDj/ABkbvtAnJIgiZPLLxThzoroxqn8Ayt7WZENEt3tqs+i+1xZelA7EHYJ5Y5xzrJnWLL82GBXhvIbPYX3Z3QfqpE+l1dkPocDDU= root@centos9test1

==== ===

Let us create a playbook and execute it.

[root@centos9vm ~]# cat authorized_keys.yml

==== ==
– – –
– name: Playbook to add ssh key to authorized_keys file
    hosts: 192.168.48.129
    tasks:
        – name: Task to add ssh key to authorized_keys file
            ansible.posix.authorized_key:
                user: shiju
                state: present
                key: “{{ lookup(‘ansible.builtin.file’, ‘pubkeys/ssh_public_key’) }}”

==== ===

[root@centos9vm ~]# ansible-navigator run -m stdout authorized_keys.yml

==== ===

PLAY [Playbook to add ssh key to authorized_keys file] *************************

TASK [Gathering Facts] *********************************************************

ok: [192.168.48.129]

TASK [Task to add ssh key to authorized_keys file] *****************************
changed: [192.168.48.129]

PLAY RECAP *********************************************************************
192.168.48.129 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

==== ===

Now let us go to centos9test1 (192.168.48.132) and see if we can ssh to 192.168.48.129 as shiju without getting prompted to enter the password.

[root@centos9test1 ~]# ssh shiju@192.168.48.129

==== ===
Last login: Thu May 2 15:42:36 2024 from 192.168.48.132
[shiju@centosMYOBvm ~]$

===== ==