{"id":1322,"date":"2024-05-02T10:15:46","date_gmt":"2024-05-02T10:15:46","guid":{"rendered":"http:\/\/shijuvarghese.com\/?p=1322"},"modified":"2024-05-26T10:19:46","modified_gmt":"2024-05-26T10:19:46","slug":"ansible-the-authorized-key-module","status":"publish","type":"post","link":"http:\/\/shijuvarghese.com\/?p=1322","title":{"rendered":"Ansible: The Authorized Key Module"},"content":{"rendered":"<p>In order for a user to ssh to a remote node, usually some form of authentication such as user credentials, SSH keys, etc are required. However Linux provides provision for password-less authentication too once a remote node is seen as trusted, by having its footprints in the Authorized Hosts file.<\/p>\n<p>Traditional method of password-less SSH is available here:<\/p>\n<ul>\n<li><a href=\"http:\/\/shijuvarghese.com\/?p=505\" target=\"_blank\">SSH password-less authentication<\/a><\/li>\n<\/ul>\n<p>This can be automated with the help of Ansible. In the below example there are three nodes involved:<\/p>\n<ul>\n<li><strong>centos9vm (192.168.48.128) :<\/strong> The ansible server<\/li>\n<li><strong>centosMYOBvm (192.168.48.129):<\/strong> The managed node to which\u00a0a user from\u00a03rd node needs to connect<\/li>\n<li><strong>centos9test1 (192.168.48.132):<\/strong> The third node from which the user\u00a0needs to access the managed nodes via SSH without password<\/li>\n<\/ul>\n<p>Let us generate an SSH key pair in <strong>centos9test1<\/strong><\/p>\n<p><strong>[root@centos9test1 ~]#<\/strong> ssh-keygen<\/p>\n<p>====== ===<br \/>\n<em>Generating public\/private rsa key pair.<\/em><br \/>\n<em>Enter file in which to save the key (\/root\/.ssh\/id_rsa):<\/em><br \/>\n<em>Enter passphrase (empty for no passphrase):<\/em><br \/>\n<em>Enter same passphrase again:<\/em><br \/>\n<em>Your identification has been saved in \/root\/.ssh\/id_rsa<\/em><br \/>\n<em>Your public key has been saved in \/root\/.ssh\/id_rsa.pub<\/em><br \/>\n<em>The key fingerprint is:<\/em><br \/>\n<em>SHA256:FF5ZmUOAI20Vrn5SIV\/1135yB5gGuSBgolAlKajWL9s root@centos9test1<\/em><br \/>\n<em>The key&#8217;s randomart image is:<\/em><br \/>\n<em>+&#8212;[RSA 3072]&#8212;-+<\/em><br \/>\n<em>|o.+o+. ..o*Boo. |<\/em><br \/>\n<em>|+..+ o.*+o.++ ..|<\/em><br \/>\n<em>|o.. ++oo.=.. +|<\/em><br \/>\n<em>|.. . . +.+ o.|<\/em><br \/>\n<em>|. . S o . =|<\/em><br \/>\n<em>| . . . . oo|<\/em><br \/>\n<em>| + o . |<\/em><br \/>\n<em>| . E o |<\/em><br \/>\n<em>| |<\/em><br \/>\n<em>+&#8212;-[SHA256]&#8212;&#8211;+<\/em><\/p>\n<p>===== ==<\/p>\n<p>Find the public key generated by the user root:<\/p>\n<p><strong>[root@centos9test1 ~]#<\/strong> cat .ssh\/id_rsa.pub<\/p>\n<p>====== ===<br \/>\n<em>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyXyorAlyk7HlHBAGoHpWAnouzWJv6WNOHIWL0bKuIb57cz1Hj63h9aBr61co\/4009InESRLByW+LU6ON8pjoxYeJ0FyvojDAgx3WZzs+7eIna\/3Avzp6tfVOKcZebiUoqWW5oDZgXLC6ICKbuxuOLEKXYp5\/i3oYCBgpyYVhiqeohBQIMKggRuHIl\/ARfr9pvbSJacqhqrB7Jfhf3VvuUGMfPglV\/+c0Io1vDerfOqtMqZxjwRAkOc0sMsdRqLfIdU7uGq4EC2tvKeo+oWxbTFxwzGRWrW27zhUyT9jYslge9wHoKrPa17dxEUEGjYLosdjQI\/trcCIzGgFUmWlHb2DMGPN69HYTsoHymzz6wN+5lEQ8Y3KFL2I38TM16dRdzQhReZ15uhl3j4Yz\/Y5MWlDHGxDpDj\/ABkbvtAnJIgiZPLLxThzoroxqn8Ayt7WZENEt3tqs+i+1xZelA7EHYJ5Y5xzrJnWLL82GBXhvIbPYX3Z3QfqpE+l1dkPocDDU= root@centos9test1<\/em><\/p>\n<p>==== ===<\/p>\n<p>Let us copy the above public key of <strong>centos9test1\u00a0<\/strong>to a folder in the ansible server<\/p>\n<p><strong>[root@centos9vm ~]#<\/strong> cat pubkeys\/ssh_public_key<\/p>\n<p>==== ===<br \/>\n<em>ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyXyorAlyk7HlHBAGoHpWAnouzWJv6WNOHIWL0bKuIb57cz1Hj63h9aBr61co\/4009InESRLByW+LU6ON8pjoxYeJ0FyvojDAgx3WZzs+7eIna\/3Avzp6tfVOKcZebiUoqWW5oDZgXLC6ICKbuxuOLEKXYp5\/i3oYCBgpyYVhiqeohBQIMKggRuHIl\/ARfr9pvbSJacqhqrB7Jfhf3VvuUGMfPglV\/+c0Io1vDerfOqtMqZxjwRAkOc0sMsdRqLfIdU7uGq4EC2tvKeo+oWxbTFxwzGRWrW27zhUyT9jYslge9wHoKrPa17dxEUEGjYLosdjQI\/trcCIzGgFUmWlHb2DMGPN69HYTsoHymzz6wN+5lEQ8Y3KFL2I38TM16dRdzQhReZ15uhl3j4Yz\/Y5MWlDHGxDpDj\/ABkbvtAnJIgiZPLLxThzoroxqn8Ayt7WZENEt3tqs+i+1xZelA7EHYJ5Y5xzrJnWLL82GBXhvIbPYX3Z3QfqpE+l1dkPocDDU= root@centos9test1<\/em><\/p>\n<p>==== ===<\/p>\n<p>Let us create a playbook and execute it.<\/p>\n<p><strong>[root@centos9vm ~]#<\/strong> cat authorized_keys.yml<\/p>\n<p>==== ==<br \/>\n<em>&#8211; &#8211; &#8211;<\/em><br \/>\n<em>&#8211; name: Playbook to add ssh key to authorized_keys file<\/em><br \/>\n<em>&nbsp; &nbsp; hosts: 192.168.48.129<\/em><br \/>\n<em>&nbsp; &nbsp; tasks:<\/em><br \/>\n<em>&nbsp; &nbsp; &nbsp; &nbsp; &#8211; name: Task to add ssh key to authorized_keys file<\/em><br \/>\n<em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ansible.posix.authorized_key:<\/em><br \/>\n<em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; user: shiju<\/em><br \/>\n<em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; state: present<\/em><br \/>\n<em>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; key: &#8220;{{ lookup(&#8216;ansible.builtin.file&#8217;, &#8216;pubkeys\/ssh_public_key&#8217;) }}&#8221;<\/em><\/p>\n<p>==== ===<\/p>\n<p><strong>[root@centos9vm ~]#<\/strong> ansible-navigator run -m stdout authorized_keys.yml<\/p>\n<p>==== ===<\/p>\n<p><em>PLAY [Playbook to add ssh key to authorized_keys file] *************************<\/em><\/p>\n<p><em>TASK [Gathering Facts] *********************************************************<\/em><\/p>\n<p><em>ok: [192.168.48.129]<\/em><\/p>\n<p><em>TASK [Task to add ssh key to authorized_keys file] *****************************<\/em><br \/>\n<em>changed: [192.168.48.129]<\/em><\/p>\n<p><em>PLAY RECAP *********************************************************************<\/em><br \/>\n<em>192.168.48.129 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0<\/em><\/p>\n<p>==== ===<\/p>\n<p>Now let us go to <strong>centos9test1 (192.168.48.132)\u00a0<\/strong>and see if we can ssh to\u00a0<strong>192.168.48.129<\/strong> as\u00a0<strong>shiju<\/strong> without getting prompted to enter the password.<\/p>\n<p><strong>[root@centos9test1 ~]#<\/strong> ssh shiju@192.168.48.129<\/p>\n<p>==== ===<br \/>\n<em>Last login: Thu May 2 15:42:36 2024 from 192.168.48.132<\/em><br \/>\n<em>[shiju@centosMYOBvm ~]$<\/em><\/p>\n<p>===== ==<\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>In order for a user to ssh to a remote node, usually some form of authentication such as user credentials, SSH keys, etc are required. <a class=\"mh-excerpt-more\" href=\"http:\/\/shijuvarghese.com\/?p=1322\" title=\"Ansible: The Authorized Key Module\">[&#8230;]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,21,3],"tags":[],"class_list":["post-1322","post","type-post","status-publish","format-standard","hentry","category-ansible","category-devops","category-linux"],"_links":{"self":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/1322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1322"}],"version-history":[{"count":13,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/1322\/revisions"}],"predecessor-version":[{"id":1339,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=\/wp\/v2\/posts\/1322\/revisions\/1339"}],"wp:attachment":[{"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1322"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1322"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/shijuvarghese.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}