How to manage authorized_keys?
208 views
Skip to first unread message
Eugene Knoxville
Jul 24, 2015, 7:41:25 AM7/24/15
to Ansible Project
Hello,
I'm using authorized_keys core module for managing the same name files. So, what I need?
I have a role, and var file with all ssh-keys. For exmpl:
user1_key: SSH PUB KEY HERE
user2_key: SSH PUB KEY HERE
I want to define which users I can put to authorized_keys. For example, I use in a playbook:
roles:
- { role: ssh.role, ssh_user: test1, ssh_user_key: "{{ user1_key }}", "{{ user2_key }}" }
But... I need to define a list of values, separated with a "new line". Using line above I'm getting authorized_keys file with 2 SSH keys, separated with comma.
In role:
- name: Manage authorized_keys
authorized_key: user="{{ ssh_user }}" key="{{ ssh_user_key }}"
Please suggest!
Eugene Knoxville
Jul 24, 2015, 8:02:02 AM7/24/15
to Ansible Project, met...@gmail.com
Found solution in Doc:
- user: name={{ item.name }} state=present generate_ssh_key=yes
with_items: "{{users}}"
- authorized_key: "user={{ item.0.name }} key='{{ lookup('file', item.1) }}'"
with_subelements:
- users
- authorizedAnd somewhere define:
users:
- name: test1 authorized: - "{{ user1_key }}" - "{{ user2_key }}"
But, when I decide to remove user2_key, It still persists in authorized_key file! It's unacceptable!Eugene Knoxville
Jul 26, 2015, 6:59:31 AM7/26/15
to Ansible Project, met...@gmail.com
Is there anyone who can share own experience? It's supposed to be a widespread task!
nusenu
Jul 26, 2015, 7:10:29 AM7/26/15
to ansible...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
> But, when I decide to remove user2_key, It still persists in
> authorized_key file! It's unacceptable!
maybe you find the
'exclusive' parameter useful?
http://docs.ansible.com/ansible/authorized_key_module.html
> Whether to remove all other non-specified keys from the
> authorized_keys file. Multiple keys can be specified in a single
> key string value by separating them by newlines. This option is not
> loop aware, so if you use with_ , it will be exclusive per
> iteration of the loop, if you want multiple keys in the file you
> need to pass them all to key in a single batch as mentioned above.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVtMACAAoJEFv7XvVCELh011UP/RookFyHqk1N4qGGiQTSNmaK
7ul5NsyovbOBOk74pQgjn+CzjgHUHPQYDptznatSTTJTXaULUm7BRz74yfQplJtW
OhVVP32lbtul9FxWLPcNBscfQ3wmh0DzbI0BODMRpHdqqmw2/Kjw2eoZU2Y5Mopv
fC4gH8c76xx6IZVzcQdBvtvkOhPTHWviXHMPVp9DRSa4QByhStE01TTqxK2Iz/nX
dUMA7WNXwYCi/tLIBihdxo9sYznmSD8sdhwdyPCXDtaab6d6WEk+jj/mzZgqL3OE
QJ36+ltG8geml9+d13P3bdGH4RWbzzexftKm+iQbE6CEh2E4+4olFcbmNvislL//
CgnonTHFtxDpv8wCVRH8vKehFk+gqNWlvk7PSwfNm2wp3+joUb2FtC6sPv6YV7Zi
BRjCSnbj54prdESNo7I9TrlljVtSCNtkq3boM4h0uD4X+7g7s6Ltwuf/5pP/h0zo
WbnPjMXkDvbXT12w4DIh6jBLwd+FFEHaJk9W1d/HYuX0s/ZLTVQl7fgLY6CASOeM
OhJlBP2Nse9vGWSbuhSlpop5916Bre5UaEW/bBSrUexr0Y3dBF9Uoe90RYT2dJVv
fp2IMJla6QEgy6hmTXzpvSfs/4Omi7gfh/p92yIQF0pkg/A6BddoHGY9XtR8LJbi
GhWxfYqOVIGR5nRJV3tA
=ypo0
-----END PGP SIGNATURE-----
Hash: SHA512
> But, when I decide to remove user2_key, It still persists in
> authorized_key file! It's unacceptable!
'exclusive' parameter useful?
http://docs.ansible.com/ansible/authorized_key_module.html
> Whether to remove all other non-specified keys from the
> authorized_keys file. Multiple keys can be specified in a single
> key string value by separating them by newlines. This option is not
> loop aware, so if you use with_ , it will be exclusive per
> iteration of the loop, if you want multiple keys in the file you
> need to pass them all to key in a single batch as mentioned above.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVtMACAAoJEFv7XvVCELh011UP/RookFyHqk1N4qGGiQTSNmaK
7ul5NsyovbOBOk74pQgjn+CzjgHUHPQYDptznatSTTJTXaULUm7BRz74yfQplJtW
OhVVP32lbtul9FxWLPcNBscfQ3wmh0DzbI0BODMRpHdqqmw2/Kjw2eoZU2Y5Mopv
fC4gH8c76xx6IZVzcQdBvtvkOhPTHWviXHMPVp9DRSa4QByhStE01TTqxK2Iz/nX
dUMA7WNXwYCi/tLIBihdxo9sYznmSD8sdhwdyPCXDtaab6d6WEk+jj/mzZgqL3OE
QJ36+ltG8geml9+d13P3bdGH4RWbzzexftKm+iQbE6CEh2E4+4olFcbmNvislL//
CgnonTHFtxDpv8wCVRH8vKehFk+gqNWlvk7PSwfNm2wp3+joUb2FtC6sPv6YV7Zi
BRjCSnbj54prdESNo7I9TrlljVtSCNtkq3boM4h0uD4X+7g7s6Ltwuf/5pP/h0zo
WbnPjMXkDvbXT12w4DIh6jBLwd+FFEHaJk9W1d/HYuX0s/ZLTVQl7fgLY6CASOeM
OhJlBP2Nse9vGWSbuhSlpop5916Bre5UaEW/bBSrUexr0Y3dBF9Uoe90RYT2dJVv
fp2IMJla6QEgy6hmTXzpvSfs/4Omi7gfh/p92yIQF0pkg/A6BddoHGY9XtR8LJbi
GhWxfYqOVIGR5nRJV3tA
=ypo0
-----END PGP SIGNATURE-----
Eugene Knoxville
Jul 28, 2015, 3:08:01 AM7/28/15
to Ansible Project, nus...@openmailbox.org
Unfortunately, It's not useful for multiple keys :(
Igor Homyakov
Jul 28, 2015, 4:28:45 AM7/28/15
to ansible...@googlegroups.com
Hi Eugene,
Here is a fairly old snipped I used for such purpose. I hope you will
find it useful
it uses template to produce authorized_keys
https://gist.github.com/hostmaster/fc4bb8a2a9301bc2285f
I think it is possible to do the same with assemble module but I have not tried.
-- Best
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/299c08e3-8c25-4403-a0bd-0638d36bfb58%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Here is a fairly old snipped I used for such purpose. I hope you will
find it useful
it uses template to produce authorized_keys
https://gist.github.com/hostmaster/fc4bb8a2a9301bc2285f
I think it is possible to do the same with assemble module but I have not tried.
-- Best
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/299c08e3-8c25-4403-a0bd-0638d36bfb58%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
nusenu
Jul 28, 2015, 6:06:55 AM7/28/15
to Ansible Project
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hash: SHA512
> Unfortunately, It's not useful for multiple keys
to quote the documentation again:
> *Multiple* keys can be specified in a single key string value by
> separating them by newlines.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVt1QmAAoJEFv7XvVCELh0w6oP/0CEPpYEOt64ch51Tndqei6m
hMyqJGnOLvUh+LOvEuonjY/g7cF9oSGu87ihqWt1lJX3+8cx2TuV3u9r4veZi+y/
r7pXEBqccinGnJWZal07DLONV/aojVhEz/GR7ye7jqJ/6a7FbNhu8LQcD2CyPuf+
t35U4wcZIG2wuRLeq7ICEp0gSfoLWeYWAlJKmZmMmfb4B7uHFkCnnxq/aHOXRmlU
BVHG4N5G3fM0v+eVDCNfPAM3/3v0SY0vvxX9+tpEOq96nCzHxI2nw3ifZKxjF65P
j2Eqf8IqsfGXPsp/H3/mx4499/VMuaC27IDI99GehdxgaL2+9HEH5zeVwvj1eJfj
snESHIfwY8cbJjKLJXLNxkXBpvYssOkmAIH3KepcrPoLfR0xruXG7qGhwazSBMWv
tYrLRjJ2Vczbm0BcKiMAkUo59lZyG1qwDhyoRQGcLwOWPvI6sZIcutaZae04n4mU
gibtRDMuJ8H2d17az++h8eZTt0dPgFI2vWQkWqtDRhGgv91+ehNEPJDDc/9GptS1
H6c3m36QcQB8bO7copF0EGDA1PUXFZ+xPPcA38MVH8d0Da4X9X0t4K6icOsj6Pyd
O3gHruFlnNmSYAmCoJnM+eZi3mbfL1XCo9cKQTgWq+Tq+zeZNoVzE1cklQsKaE5n
wAH7LjU93Rli2Vkdy3g6
=6VV8
-----END PGP SIGNATURE-----
Brian Coca
Jul 28, 2015, 8:40:38 AM7/28/15
to Ansible Project
I would just use templates
--
Brian Coca
--
Brian Coca
Mischa ter Smitten
Jul 29, 2015, 3:07:18 PM7/29/15
to Ansible Project
Have a look at our ssh-keys role. https://github.com/Oefenweb/ansible-ssh-keys
Reply all
Reply to author
Forward
0 new messages