We Keep Coding

How to add an existing public key to authorized_keys file using Ansible and user module?

I'm programming a simple task with Ansible to create a user and add an existing RSA public key. This is the code I wrote:
- name: SYSTEM - Create test user
tags: system-user
user:
name: "{{ test_user }}"
state: present
createhome: yes
- name: SYSTEM - Add existing pub key for test user
tags: system-user
copy:
content: "{{ test_user_pubkey }}"
dest: "/tmp/test_user_id_rsa.pub"
force: no
owner: "{{ test_user }}"
group: "{{ test_user }}"
mode: 0600
- name: SYSTEM - Set authorized key for test_user took from file
tags: system-user
authorized_key:
user: "{{ test_user }}"
state: present
key: "{{ lookup('file', '/tmp/test_user_id_rsa.pub') }}"
The code I wrote is not elegant and I think that the best option will be to add the existing RSA public key with the user creation block in order to create and filled up the authorized_keys file.
I've read the Ansible user module but ssh_key_file method does not include the possibility to echo the value of an existing pub key to the authorized_keys file (the end purpose is to be able to remote connect with ssh using the user and the private key).
ssh_key_file = Optionally specify the SSH key filename. If this is a
relative filename then it will be relative to the user's home
directory.
Is it possible with Ansible to manage this process within the user module?

The answer to your problem is:
- name: SYSTEM - Create test user
tags: system-user
user:
name: "{{ test_user }}"
state: present
createhome: yes
- name: SYSTEM - Set authorized key for test_user took from file
tags: system-user
authorized_key:
user: "{{ test_user }}"
state: present
key: "{{ test_user_pubkey }}"
That's all that is needed.
Regarding your reading of the documentation, ssh_key_file pertains to generating an SSH key pair, which is not what you want.

So I've been lurking this thread trying to get this wrapped around my head.. And I ended up being able to make my way around this.
First things first, I tend to cram everything in dicts and then use | dict2items whenever I need to loop within jinja2.
My main problem is that once the user module generates the ssh_keys, there are no clean ways to use the authorized_key module with what you just made (or so I think? I am probably not the smartest guy in here) without bending Ansible in ways impossible (slurping? it is impossible to place another variable within a variable (from what I've tried)"{{ slurp_{{ item.key }} | b64decode }}" seem undoable)
So if you are using massive loops and unwilling to copy all keys to your localhost (which honestly is time consuming), I've found this sneaky trick that does not make reading your code an Olympian challenge :
- name: Prepare the SFTP user
user:
name: "{{ item.key }}"
groups: sftp_users
home: /home/{{ item.key }}
password: "{{ impossible_sftp_pass }}"
generate_ssh_key: yes
ssh_key_file: .ssh/id_rsa
shell: /bin/nologin
with_dict: "{{ instances }}"
- name: sneaky way to get the keys right
shell: cat /home/{{ item.key }}/.ssh/id_rsa.pub > /home/{{ item.key }}/.ssh/authorized_keys
args:
creates: /home/{{ item.key }}/.ssh/authorized_keys
with_dict: "{{ instances }}"
In this example, our goal is to setup an STFP bastion host that will finally rsync SFTP data repos to the appropriate web fronts that are within a private network.

ansible created password for a user does not work for ssh sessions

I know this question has been asked several times, however, i am still having the issue where Users created using ansible and password setup referenced to ansible doc article is not working for ssh sessions.
I understand the password has to be hashed rather than the plain text. i tried following however still can't ssh to remote host.
---
- hosts: all #modify your server list
remote_user: root
vars:
#created using the sha-512
password: $6$i77J0vHI5M$/cWpyM72mGY5h8V6PW1KTg3Tjh6VH5jtdBTm2nLwjxKzW/iR2zbzm2X.eUYT833xEDaco5NxZgY.obtDNhPNz0
tasks:
- include_vars: users.yml
- name: Creating users to Jump Server
user: name="{{ item.username}}" password= "{{ password }}" state=present
with_items: "{{ users }}"
- name: Placing SSH Key to Authorized Key
#please note that this code assumes as if the public-private key pair is generated, all public users (created above) have public keys copied at one place i.e. keyfiles directory for the ease
authorized_key: user="{{item.username}}" key="{{ lookup('file', './keyfiles/authorized_keys.{{ item.username}}.pub')}}"
with_items: "{{ users }}"
/etc/shadow looks like this on all hosts
root#serverX:/home# cat /etc/shadow | grep sam
sam::17393:0:99999:7:::
What am i doing wrong or missing? I Will appreciate if someone can put some light. Thanks a lot in advance.

You can also use your password variable directly instead of hash using the password_hash filter:
Your password variable:
password: "my_secure_password"
Then modified your user creation task:
- name: Creating users to Jump Server
user:
name: "{{ item.username}}"
password: "{{ password | password_hash('sha512') }}"
state: present
with_items: "{{ users }}"

I have figured out the way. there was a small syntax error. Tried the password variable as password={{ password }} instead of putting in quotation marks.
Now the /etc/shadow file had same hashed password generated as set in variable.
root#serverX:/home# cat /etc/shadow | grep sam
sam:$6$i77J0vHI5M$/cWpyM72mGY5h8V6PW1KTg3Tjh6VH5jtdBTm2nLwjxKzW/iR2zbzm2X.eUYT833xEDaco5NxZgY.obtDNhPNz0:17393:0:99999:7:::
Hopefully this will help someone else too.

vmware_vm_facts vCenter password validation failing

I am using Ansible and vCenter to provision a VM. When I run my playbook, I get an authentication error:
Cannot complete login due to an incorrect user name or password.
However, using the same credentials, I am able to log into vCenter manually.
Here is my simplified playbook:
---
- name: create a new VM on an ESX server
hosts: localhost
connection: local
tasks:
- name: include vars
include_vars:
dir: 'group_vars/prod'
files_matching: 'secret-esx.yml'
- name: gather facts from target host
local_action:
module: vmware_vm_facts
hostname: vi-devops-esx9.lab.vi.local
username: "{{ esx_username }}"
password: "{{ esx_password }}"
validate_certs: no
register: qe_facts
Why can I access vCenter, but vmware_vm_facts cannot with the same credentials?

My hostname was incorrect. Fixing my hostname fixed the authentication error.

Ansible Return Value - Need IP Adress

We are currently using Ansible in conjunction with OpenStack. I've written a playbook (to deploy new server via OpenStack) where i use the module os_server where i use auto_ip: yes, the new server will become an IP Address assigned from the OpenStack Server.
If I use the -vvvv output command, i get a long output where in the middle of that output an IP-Address is listed.
So, cause I am a lazy guy, I want to put just this IP Address in a variable and let me show this IP Address in an extra field.
It should look like this:
"........output stuf.....
................................
.............................
..............................
..............................."
"The IP Adress of the New server is ....."
Is there any possibility you know to put these IP Address Field in a variable or to filter that output to the IP Address?
If you need an screenshot to see what I mean, no problem just write it and I'll give it to you!

Ansible OpenStack module uses shade python package to create a server.
According to the shade source code, create_server method returns a dict representing the created server.
Try to register the result of os_server and debug it. The IP Address should be there.
Example :
- name: launch a compute instance
hosts: localhost
tasks:
- name: launch an instance
os_server:
state: present
...
auto_ip: yes
register: result
- debug: var=result
Also, you can have a look to this sample playbook which does exactly this.
Here's an excerpt:
- name: create cluster notebook VM
register: notebook_vm
os_server:
name: "{{ cluster_name }}-notebook"
flavor: "{{ notebook_flavor }}"
image: "CentOS-7.0"
key_name: "{{ ssh_key }}"
network: "{{ network_name }}"
security_groups:
- "{{ cluster_name }}-notebook"
auto_ip: yes
boot_from_volume: "{{ notebook_boot_from_volume }}"
terminate_volume: yes
volume_size: 25
- name: add notebook to inventory
add_host:
name: "{{ cluster_name }}-notebook"
groups: notebooks
ansible_ssh_host: "{{ notebook_vm.openstack.private_v4 }}"
ansible_ssh_user: cloud-user
public_ip: "{{ notebook_vm.openstack.public_v4 }}"
public_name: "{{ lookup('dig', notebook_vm.openstack.public_v4 + '/PTR', wantlist=True)[0] }}"
tags: ['vm_creation']

Ansible copy ssh key from one host to another

I have 2 app servers with a loadbalancer in front of them and 1 database server in my system. I'm provisioning them using Ansible. App servers has Nginx + Passenger and running for a Rails app. Will use capistrano for deployment but I have an issue about ssh keys. My git repo is in another server and I have to generate ssh public keys on appservers and add them to the Git server(To authorized_keys file). How can I do this in ansible playbook?
PS: I may have more than 2 app servers.

This does the trick for me, it collects the public ssh keys on the nodes and distributes it over all the nodes. This way they can communicate with each other.
- hosts: controllers
gather_facts: false
remote_user: root
tasks:
- name: fetch all public ssh keys
shell: cat ~/.ssh/id_rsa.pub
register: ssh_keys
tags:
- ssh
- name: check keys
debug: msg="{{ ssh_keys.stdout }}"
tags:
- ssh
- name: deploy keys on all servers
authorized_key: user=root key="{{ item[0] }}"
delegate_to: "{{ item[1] }}"
with_nested:
- "{{ ssh_keys.stdout }}"
- "{{groups['controllers']}}"
tags:
- ssh
Info: This is for the user root

Take a look to the authorized_key module for getting info on how to manage your public keys.
The most straightforward solution I can think of would be to generate a fresh key pair for your application, to be shared accross all your app instances. This may have security implications (you are indeed sharing keys between all instances!), but it'll simplify a lot the provisioning process.
You'll also require a deploy user on each app machine, to be used later on during deployment process. You'll need your public key (or jenkins one) on each deploy user's authorized_keys.
A sketch playbook:
---
- name: ensure app/deploy public key is present on git server
hosts: gitserver
tasks:
- name: ensure app public key
authorized_key:
user: "{{ git_user }}"
key: app_keys/id_dsa.pub
state: present
- name: provision app servers
hosts: appservers
tasks:
- name: ensure app/deploy user is present
user:
name: "{{ deploy_user }}"
state: present
- name: ensure you'll be able to deploy later on
authorized_key:
user: "{{ deploy_user }}"
key: "{{ path_to_your_public_key }}"
state: present
- name: ensure private key and public one are present
copy:
src: keys/myapp.private
dest: "/home/{{ deploy_user }}/.ssh/{{ item }}"
mode: 0600
with_items:
- app_keys/id_dsa.pub
- app_keys/id_dsa

I created a parameterized role to make sure ssh key pair is generated in a source user in a source remote host and its public key copied to a target user in a target remote host.
You can invoke that role in a nested loop of source and target host lists as shown at the bottom:
---
#****h* ansible/ansible_roles_ssh_authorize_user
# NAME
# ansible_roles_ssh_authorize_user - Authorizes user via ssh keys
#
# FUNCTION
#
# Copies user's SSH public key from a source user in a source host
# to a target user in a target host
#
# INPUTS
#
# * ssh_authorize_user_source_user
# * ssh_authorize_user_source_host
# * ssh_authorize_user_target_user
# * ssh_authorize_user_target_host
#****
#****h* ansible_roles_ssh_authorize_user/main.yml
# NAME
# main.yml - Main playbook for role ssh_authorize_user
# HISTORY
# $Id: $
#****
- assert:
that:
- ssh_authorize_user_source_user != ''
- ssh_authorize_user_source_host != ''
- ssh_authorize_user_target_user != ''
- ssh_authorize_user_target_host != ''
tags:
- check_vars
- name: Generate SSH Keypair in Source
user:
name: "{{ ssh_authorize_user_source_user }}"
state: present
ssh_key_comment: "ansible-generated for {{ ssh_authorize_user_source_user }}#{{ ssh_authorize_user_source_host }}"
generate_ssh_key: yes
delegate_to: "{{ ssh_authorize_user_source_host }}"
register: source_user
- name: Install SSH Public Key in Target
authorized_key:
user: "{{ ssh_authorize_user_target_user }}"
key: "{{ source_user.ssh_public_key }}"
delegate_to: "{{ ssh_authorize_user_target_host }}"
- debug:
msg: "{{ ssh_authorize_user_source_user }}#{{ ssh_authorize_user_source_host }} authorized to log in to {{ ssh_authorize_user_target_user }}#{{ ssh_authorize_user_target_host }}"
Invoking role in a loop:
- name: Authorize User
include_role:
name: ssh_authorize_user
vars:
ssh_authorize_user_source_user: "{{ git_user }}"
ssh_authorize_user_source_host: "{{ item[0] }}"
ssh_authorize_user_target_user: "{{ git_user }}"
ssh_authorize_user_target_host: "{{ item[1] }}"
with_nested:
- "{{ app_server_list }}"
- "{{ git_server_list }}"

I would create a deploy user that is restricted to pull access to your repos. You can either allow this through http or there are a few options to do it over ssh.
If you don't care about limiting the user to read-only access to your repo then you can create a normal ssh user. Once the user is created you can use Ansible to add the user's public key to the authorized key file on the git server you can use the authorized key module.
Once that is setup you have two options:
If you use ssh use ssh key forwarding so that the user that is used to run the Ansible task sends his public key to the dev server.
Temporarily transfer the key and use the ssh_opts git module option to use the deploy user's public key.

Use the openssh_keypair and authorized_key module to create and deploy the keys at the same time without saving it into your ansible host.
- openssh_keypair:
group: root
owner: root
path: /some/path/in/your/server
register: ssh_key
- name: Store public key into origin
delegate_to: central_server_name
authorized_key:
key: "{{ssh_key.public_key}}"
comment: "{{ansible_hostname}}"
user: any_user_on_central
Will create and/or make sure the ssh key on your server will enable ssh connection to central_server_name.

I wanted to contribute this code by removing the shell module and using slurp. Thanks a lot Jonas Libbrecht for the code. It is quite useful.
- name: Get ssh keys
slurp:
src: /home/nsbl/.ssh/id_ed25519.pub
register: ssh_keys
tags:
- ssh
- name: Check keys
debug: msg="{{ ssh_keys['content'] | b64decode }}"
tags:
- ssh
- name: deploy keys on nodes 1
authorized_key:
user: root
key: "{{ item[1] }}"
delegate_to: "{{ item[0] }}"
with_nested:
- "{{ groups['cluster'] }}"
- "{{ ssh_keys['content'] | b64decode }}"
tags:
- ssh
Thanks community.

This is what I use to exchange RSA keys between multiple hosts (many to many). I have variations that create the user accounts with the key pairs and also to deal with 'one to many' and 'many to one' scenarios.
#:TASK: Exchange SSH RSA keys between multiple hosts (many to many)
#:....: RSA keypairs are created as required at play (1)
#:....: authorized_keys updated at play <root user (2a.1 & 2a.2)>, <non root user (2b.1)>
#:....: -- We need a 2a or 2b option becasue there is a 'chicken & egg' issue for the root user!
#:....: known_hosts files are updated at play (3)
#:REQD: *IF* your security policy allows:
#:....: -- Add 'host_key_checking = False' to ansible.cfg
#:....: -- Or use one of the variations of 'StrictHostKeyChecking=no' elsewhere:
#:....: e.g. inventory setting - ansible_ssh_common_args='-o StrictHostKeyChecking=no'
#:....: - or - host variable - ansible_ssh_extra_args='-o StrictHostKeyChecking=no'
#:USER: RUN this as the 'root' user; it hasn't been tested or adapted to be run as any other user
#:EXEC: ansible-playbook <playbook>.yml -e "nodes=<inventory_hosts> user=<username>"
#:VERS: 20230119.01
#
---
- name: Exchange RSA keys and update known_hosts between multiple hosts
hosts: "{{ nodes }}"
vars:
ip: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}"
tasks:
- name: (1) Generate an SSH RSA key pair
community.crypto.openssh_keypair:
path: "~{{ user }}/.ssh/id_rsa"
comment: "{{ user }}#{{ ip }}"
size: 2048
- name: (2) Retrieve RSA key/s then exchange it with other hosts
block:
- name: (2a.1) Retrieve client public RSA key/s to a variable
slurp:
src: ".ssh/id_rsa.pub"
register: rsa_key
# Using the debug module here seems to make the slurp above more reliable
# as during testing not all hosts that were slurped worked.
- debug:
msg: "{{ rsa_key['content'] | b64decode }} / {{ ip }} / {{ user }}"
- name: (2a.2) Exchange RSA keys between hosts and update authorized_key files
delegate_to: "{{ item }}"
authorized_key:
user: "{{ user }}"
key: "{{ rsa_key['content'] | b64decode }}"
with_items:
- "{{ ansible_play_hosts }}"
when: item != inventory_hostname
when: user == "root"
- name: (2b.1) Exchange RSA keys between hosts and update authorized_key files
block:
- delegate_to: "{{ item }}"
authorized_key:
user: "{{ user }}"
key: "{{ rsa_key['content'] | b64decode }}"
with_items:
- "{{ ansible_play_hosts }}"
when: item != inventory_hostname
when: user != "root"
- name: (3) Ensure nodes are present in known_hosts file
become: yes
become_user: "{{ user }}"
known_hosts:
name: "{{ item }}"
path: "~{{ user }}/.ssh/known_hosts"
key: "{{ lookup('pipe', 'ssh-keyscan -t rsa {{ item }}') }}"
when: item != inventory_hostname
with_items:
- "{{ ansible_play_hosts }}"