how to encrypt ssh_pass password without asking any more password
Sameer Modak
hosts.yaml has below all:vars
[all:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_connection=ssh
ansible_port=22
ansible_user=sam
ansible_ssh_pass=abc@123
Now i want to hide ansible_ssh_pass variable or encrypt/salt this value thats it .
how do i do that. I m ok even if i store that in plaintext and reference here .
im fine evenits base64 just should not be in plain in hosts.yaml.
Todd Lewis
Todd Lewis
Stuart Lowe
Use an SSH key then no password is needed.
Or create a separate vars file P_vars or something
and have p_ansible_ssh_pass=yourpassword
encrypt that file with ansible vault
then reference that in your all:vars
ansible_ssh_pass={{ p_ansible_ssh_pass }}
you can then see the file and non secure vars without having to un-encrypt the vault but can see that a password stored in vault is used and what it’s name is.
you then have the problem the ansible vault password is needed every time you run your playbook / add hoc commands but you can include a reference to that in your .ansible.cfg and have it reference somewhere on your machine that isn’t included in your source
control and protected to only be ready by your user.
From: ansible...@googlegroups.com <ansible...@googlegroups.com>
On Behalf Of Todd Lewis
Sent: Thursday, December 14, 2023 11:32 PM
To: Ansible Project <ansible...@googlegroups.com>
Subject: [ansible-project] Re: how to encrypt ssh_pass password without asking any more password
|
Caution: This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe |
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ansible-proje...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b4abdd48-0506-492c-9930-d7c2d2b86402n%40googlegroups.com.
Stuart Lowe He/Him
Senior Cloud Support Engineer
Zen Internet
Team: 01706 902009
www.zen.co.uk
Proud to be a certified B Corporation
This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.
Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries, and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or
from Zen Internet Limited for the purposes of security, staff training and to monitor the quality of service.
Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01
dbs34
Next share the public key out to all clients, then on the ansible server I created a shell script that invokes
#!/bin/env bash
ssh-agent /usr/bin/sshinit.opt
in my opt file i have a simple if clause.
if [ -s "/etc/ansible/id_rsa_ansible" ]; then
/usr/bin/ssh-add /etc/ansible/id_rsa_ansible
echo "SSH KEY added and initialized"
cd /etc/ansible && $SHELL
else
echo id_rsa_ansible was not found, zero size.
fi
so on my ansible control node ( server ) I run sshinit
it prompts me for the private key password I created now I can login or run any ansible command or playbook with no pasword prompts once your public key is in each clients .ssh/authorized_keys file.
If I want to schedule a cronjob that runs a playbook on a bunch of clients, you have to export the environment variable SSH_AUTH_SOCK in your cronjob playbook script.
env |grep -i ssh
SSH_CONNECTION=10.50.10.22 51630 10.50.3.71 22
SSH_AUTH_SOCK=/tmp/ssh-FwQS5lko0os0/agent.9366
SSH_AGENT_PID=9367
SSH_CLIENT=10.50.10.22 51630 22
SSH_TTY=/dev/pts/0
