Ansible: Change SSH key - ssh

I have an inventory of multiple servers. SSH access to these servers is secured using PEM key files. I would like to periodically change the PEM key used by my servers. So, I would like to use Ansible to do the following:
Generate a new PEM key file
For each server in my inventory, connect to the server using old PEM key file
Install new PEM key file
Test to ensure SSH with new key works and old key does not work
What is the best way to do this via Ansible?

You should split this in three playbooks.
The first to generate a new PEM key. This will run locally. See: https://docs.ansible.com/ansible/playbooks_delegation.html#local-playbooks
The second one will do the rollout. So it copies the key to all servers. You can use authorized_key or copy depending on what your preferred workflow is. But thats another question.
The third step then would be a testing playbook, maybe with an assert statement or just using ping to ensure the connection works.
When you have all this playbooks combine them in a single with include or add this three plays in one playbook in the right order. See: https://docs.ansible.com/ansible/playbooks_intro.html

Related

SSH suddenly asking for DSA

After allowing an application to install ssh keys on my local machine, I can no longer connect to my Digital Ocean shell. (The app is not related to DO; totally different.) I get a
Permission denied (public key)
error that, with -vvv, debugs to
Trying private key: /Users/macbook/.ssh/id_dsa
no such identity: path/.ssh/id_dsa: No such file or directory
My keys are rsa. I have no idea why the machine is asking for dsa.
My .ssh/config file (which I have never read until now) has only information about the application I allowed access. Maybe it was overwritten. If this is the case, could you tell me how to rewrite my .ssh/config file?
My keys on my cloud server (accessed through a DO gui shell) and on my machine still match up. The folder permissions are ok. I've been using this for months with no trouble until now.
Any suggestions?
Edit:
This was probably a result of the third party application overwriting my .ssh/config file. Because the writing of this file was always automated for me, I never took any notice of it. If you try:
regenerating new keys
appending the new public key to the authorized_keys file on your server on a new line
writing a new .ssh/config file as so:
-
Host 111.11.11.1
User bob
IdentityFile ~/.ssh/new_file.pem
then you might make it. Somehow now I can't get a passphrase to work on the new keys.

SSH to other servers in cluster

I had an user account set up by my collegue weeks ago, to access our server(rhel). Now Im asked to copy my key so I can login to other servers in the cluster.
My first approach was to copy my /home/user/.ssh folder from the (already set-up) server to the new one. This one obviously fails, I found out with ls -a , that in my .ssh directory is only one file - known_hosts.
Im bit confused from my search results, is it necessary to create a new private-public key pair (I dont have any log about creating in before for the first server, so it was probably already setup for me), or is it sufficient to copy files from the first server and setup owners and permissions?
What you're probably looking for is file ~/.ssh/authorized_keys on the server. If you have your key set up, your public key should be stored there. If there is no such file, than you don't have your keys set up(do you have private keys files on your desktop?).
Please note that for usually ssh will require strict access permissions(rwx for user only) for your ~/.ssh directory and authorized_keys file.
Also you can use as many and as few keys as you wish, depending on your security needs. So using single key pair for multiple servers is possible.

Verifying SSH host key in Tectia and WinSCP SFTP clients

I have two scripts to upload files into SFTP server:
sftp2 --identity-key-file=D:\test_ssh2 -B d:\test.txt testUser#xxx.xxx.xxx.xxx
open sftp://testUser#xxx.xxx.xxx.xxx -privatekey=D:\test.ppk -hostkey="ssh-rsa 1536 xxxxxxxxxxxxxxxxxxxxxxxxxxx"
Please help to explain:
What is the difference between the two scripts?
Why the first script doesn't need any host key, while the second script needs it?
Can I call SFTP with private key without using any hostkey?
What is the difference between the two scripts?
The first is batch file using Tectia sftp2.exe client.
The second is WinSCP script file.
Why the first script doesn't need any host key, while the second script needs it?
Most SFTP/SSH clients will prompt you to verify host key fingerprint on the first connect. If you verify the host key, it gets cached and you won't get prompted the next time.
Tectia sftp2.exe and WinSCP are no different.
If your Tectia sftp2.exe script works as it is, you must have verified the host key in this client before manually.
While your WinSCP script contains an explicit fingerprint of the host key. So the script will work, even if you have not verified the host key manually with WinSCP before running the script. This is recommended use of WinSCP, as it makes your script portable (not dependent on a hidden cache of host keys). But if you prefer, you can verify the host key manually with WinSCP, the same way you have done with Tectia.
Can I call SFTP with private key without using any hostkey?
Private key has nothing to do with host key. So this question makes little sense. See WinSCP article on SSH key pairs to understand.

How to change EC2 Public Key?

I'm trying to change my EC2 public key for myself, the rest of my team who uses AWS, and also for running instances.
So the old key was (for example) 'my_key', and I made a new key called 'my_key2'.
I made the new key, saved the .pem file alongside the old one, so both 'my_key.pem' and 'my_key2.pem' are residing in my ~/.ssh folder.
Now, I'm trying to ssh into other instances to change they authorization_keys to share my public key, but when I try to ssh, I get
amy$ ssh ***-**-**-***-***.foo.com
Permission denied (publickey).
I tried taking the new 'my_key2' file out of the .ssh folder, and the same problem occurs. I didn't have this problem before I started mucking around. Any tips on getting ssh to recognize my old certificates so that I can get everyone going on the new keys?
You will need to stop the instance (if EBS-backed instance) in order to change the key pair to be used for the instance. If not EBS-backed volume you will just need to start another instance from your AMI with the the new key pair.
If you are not able to easily restart the instance or create a new instance, there is this method which purports to being able to change public keys on a running instance, but I haven;t tried it. Really the right way to do it is by stopping/starting or creating new instances.
http://seabourneinc.com/2011/01/19/change-key-pairs-on-aws-ec2-instance/
http://seabourneinc.com/2011/01/19/change-key-pairs-on-aws-ec2-instance/
This solution works. I checked it.
In simple steps.
login to AWS console, create a new pem key, it will ask you to save it to local, save it.
run the following command.
ssh-keygen -y | tee my_key.pub
type the path to where you have saved the new pem key file along with the file name.
the above command will display the contents on the screen, copy it, and paste into the
authorized_keys file of the EC2 instance, save and close.
now you can use the saved/downloaded new pem key file to access the EC2 instance.

SSH basics - do you use a new key for each server you're accessing?

I couldn't find any basic info for designers (on a mac) for how SSH keys work - so thought I'd ask them here.
If I want to connect my work workstation to:
Github
A DEV server
A LIVE server
Do I generate one ssh key on the workstation and add it to all those servers or do I generate multiple keys - one for each server?
Once I've generated a key (or keys), do I copy it into the id_rsa file in my user account on that server (I realize I may have to create the id_rsa file)?
And if I now want to access the same server but from my home laptop, do I add the laptop's ssh key to the same id_rsa file on the server or do I create a new file?
If I need to create a new file, does it matter what the file is called - laptop_rsa?
I basically want to disable root login on my servers but I don't really understand how SSH applies to multiple machines and multiple servers.
Any help or pointers in the right direction would be much appreciated.
Cheers
You only need one key for the local machine that you are connecting
to all three servers.
For the DEV server and the LIVE server, you can add the contents of
your id_rsa.pub file to the
authorized_keys file on each of the target servers.
This file will be in the ~/.ssh directory. You will
need to create the file if it's not there (touch
~/.ssh/authorized_keys). Adding your public key to this file
will let you login with your passphrase rather than a password.
Place all authorized keys (i.e. your laptops id_rsa.pub) in the same
authorized_keys file on the target server.
Adding your keys to authorized_keys doesn't affect root login (that is a separate setting), however, it will prevent people from attempting to brute-force your password if you then turn off password login.