creating RSA key with openssh_keypair
193 views
Skip to first unread message
Veera
Aug 1, 2024, 9:17:08 AM8/1/24
to Ansible Project
Hi,
When I try to create ssh keypairs with the module ansible.builtin.openssh_keypair , a new key pair is generated as expected.
$ cat test_key1.yml
---
- name: Validate RSA key creation
hosts: localhost
gather_facts: no
vars:
keyfile: "mykey"
tasks:
- name: create new keypair
ansible.builtin.openssh_keypair:
path: "./{{ keyfile }}"
force: true
comment: "myk...@myorg.com"
type: rsa
size: 2048
register: newkey
no_log: false
- name: print the output file
debug:
msg: "{{lookup('file', 'mykey')}}"
- name: print the pub key
debug:
var: newkey.public_key
$
$
$ ap test_key1.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Validate RSA key creation] ******************************************************************************************************
TASK [create new keypair] *************************************************************************************************************
changed: [localhost]
TASK [print the output file] **********************************************************************************************************
ok: [localhost] => {
"msg": "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAQEAuxikjvE7gthJQqNpDRmUZlFr6INoQv38QPWL2TA8so5rStPwv0/Q\n+JhDCnXV16WmPhVN+ZX+cC6RyoHa5mzZY4WocJfGbQ553plcTteHt3j5FFLwbwTeYdeDaX\n3xB904SCneXVbYjjO/HSLOB7emasY4NIpj24Lq7J06v2/p+tL3yTqqa9oFH94+EYRp/awu\nLDJ784dVUUR7pEUpWCeNy6PhENfYIzQdzS9xq/fEwLYl6d7cHZoKpOx/WORFyhtkMfvzi5\nJYCt9UVMfI+wpjJ9tOI/1tOO8YYg53naqfPLTdwTxsqP05hcCKyJyQYerh2GuLZzUSA/Gm\nvIkJ0O+p/QAAA8iLqnKti6pyrQAAAAdzc2gtcnNhAAABAQC7GKSO8TuC2ElCo2kNGZRmUW\nvog2hC/fxA9YvZMDyyjmtK0/C/T9D4mEMKddXXpaY+FU35lf5wLpHKgdrmbNljhahwl8Zt\nDnnemVxO14e3ePkUUvBvBN5h14NpffEH3ThIKd5dVtiOM78dIs4Ht6Zqxjg0imPbgursnT\nq/b+n60vfJOqpr2gUf3j4RhGn9rC4sMnvzh1VRRHukRSlYJ43Lo+EQ19gjNB3NL3Gr98TA\ntiXp3twdmgqk7H9Y5EXKG2Qx+/OLklgK31RUx8j7CmMn204j/W047xhiDnedqp88tN3BPG\nyo/TmFwIrInJBh6uHYa4tnNRID8aa8iQnQ76n9AAAAAwEAAQAAAQB5FNiifXHjGvBGhRSe\nWriUgwsPvcNC37ZZn89yrmoJsGu1UHYUiaYWzAtPALV0ywpMUWNWLAEvPqQxZ1pwF2+Und\nJFk6PhviWWrq9zgr6dOVgRFB/v6Tm2HlA4fD35tewPn7D9vQ+G7+w2AelOS0cTANctAYbg\nb9hzasmzTM0i+jv4GEDS/zldh8YhDIPIOBctyevjW1Pcx2ttP9pfcaSbpH8t0Cq8AcRKUa\ntYUlf6IvgJxSjfLF3w6ozteV10esfG372of5ssJFHaTZCnA+3vRRnEr420zYRVTARfJ3qQ\n/c+EPcqiHf2D90GZ3b/UGdcSGf3Nl/Vs7fcTX+1IxoqhAAAAgQCzaY67BHjhlJUQftgdQG\nxYUjhCxsR1XemXtfdmxavDKraPUnA3iIu4PAv3rUfcT0dY+vrI7TQlrZTDq9C0HdLyC3EY\nISzjW72dRzSr0qYAlTbzKYsvon/NukD/qCgWlcn1HMwZtlH4alCIKcjCJs49HYKl1kyzeE\nAFNI6cRSW5pgAAAIEA30cx2Saxjmz50t1Q7pSuJJPx27a4ktuSljsavlYUeLnnXHZsXveX\nHLojVoL3EV97Cn2dH1kJ5uSU2rf7UX0dw2MNLzIfM8RmpoKRrKqUS6mwI8pINy7hqctodS\nu6Y/1lrRU1zwUJiPBIxqFqN4NC0fp9lRXydEf3kmddHLu7OPUAAACBANaEADRqAcDbbzjX\ncA8qBtjzx65Jkn76WAbPMdH9lvvzxgy6iOB5NrGztfIj7a4I/6cQjWlTY4WOG9cpLKKWfo\nwNkenr3d7GCXAKQ5z3N5vMWenC/vL6eoFyGV0Evn3Lz3YxZ6xvWGzFXSy66SholaIlngwx\nqGMYqVyLQlbjPafpAAAAEG15a2V5c0BteW9yZy5jb20BAg==\n-----END OPENSSH PRIVATE KEY-----"
}
TASK [print the pub key] **************************************************************************************************************
ok: [localhost] => {
"newkey.public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7GKSO8TuC2ElCo2kNGZRmUWvog2hC/fxA9YvZMDyyjmtK0/C/T9D4mEMKddXXpaY+FU35lf5wLpHKgdrmbNljhahwl8ZtDnnemVxO14e3ePkUUvBvBN5h14NpffEH3ThIKd5dVtiOM78dIs4Ht6Zqxjg0imPbgursnTq/b+n60vfJOqpr2gUf3j4RhGn9rC4sMnvzh1VRRHukRSlYJ43Lo+EQ19gjNB3NL3Gr98TAtiXp3twdmgqk7H9Y5EXKG2Qx+/OLklgK31RUx8j7CmMn204j/W047xhiDnedqp88tN3BPGyo/TmFwIrInJBh6uHYa4tnNRID8aa8iQnQ76n9"
}
PLAY RECAP ****************************************************************************************************************************
localhost : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$
However the public-key is showing the caption as ssh-rsa .. and the private key is displaying the label as "-----BEGIN OPENSSH PRIVATE KEY----- and -----END OPENSSH PRIVATE KEY-----"
I am looking to create an rsa key-pairs with 2048b , something we used to create with the command ssh-keygen -t rsa -b 2048
The private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and ends with "-----END RSA PRIVATE KEY-----"
Is that possible with this module openssh_keypair ?
Felix Fontein
Aug 1, 2024, 10:21:33 AM8/1/24
to ansible...@googlegroups.com
Hi,
> However the public-key is showing the caption as ssh-rsa .. and the
> private key is displaying the label as "-----BEGIN OPENSSH PRIVATE
> KEY----- and -----END OPENSSH PRIVATE KEY-----"
>
> I am looking to create an rsa key-pairs with 2048b , something we
> used to create with the command ssh-keygen -t rsa -b 2048
> The private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and
> ends with "-----END RSA PRIVATE KEY-----"
Could you please elaborate why it **must** start with "-----BEGIN RSA
PRIVATE KEY-----"? Does your SSH version not accept "-----BEGIN OPENSSH
PRIVATE KEY-----"?
In any case, I would suggest to look at the private_key_format option
of the module.
All the best,
Felix
> However the public-key is showing the caption as ssh-rsa .. and the
> private key is displaying the label as "-----BEGIN OPENSSH PRIVATE
> KEY----- and -----END OPENSSH PRIVATE KEY-----"
>
> I am looking to create an rsa key-pairs with 2048b , something we
> used to create with the command ssh-keygen -t rsa -b 2048
> The private key must begin with "-----BEGIN RSA PRIVATE KEY-----" and
> ends with "-----END RSA PRIVATE KEY-----"
PRIVATE KEY-----"? Does your SSH version not accept "-----BEGIN OPENSSH
PRIVATE KEY-----"?
In any case, I would suggest to look at the private_key_format option
of the module.
All the best,
Felix
Veera
Aug 1, 2024, 1:21:26 PM8/1/24
to Ansible Project
Yes , We need a RSA format PEM key which is compatible with the application .
Whenever a OPENSSH PRIVATE Key generated with the playbook is used for authentication , login to the application is working but its not functioning 100% as expected .
When a RSA format PEM or id_rsa key ( ssh-keygen -t rsa -b 2048) is used then login and functioning of the application is working fine. (vendor recommended RSA format SSH key)
Todd Lewis
Aug 2, 2024, 6:52:17 PM8/2/24
to Ansible Project
In what way is it "not functioning 100% as expected"?
Dick Visser
Aug 3, 2024, 3:40:09 AM8/3/24
to ansible...@googlegroups.com
On Thu, 1 Aug 2024 at 19:21, Veera <svee...@gmail.com> wrote:
Yes , We need a RSA format PEM key which is compatible with the application .Whenever a OPENSSH PRIVATE Key generated with the playbook is used for authentication , login to the application is working but its not functioning 100% as expected .When a RSA format PEM or id_rsa key ( ssh-keygen -t rsa -b 2048) is used then login and functioning of the application is working fine. (vendor recommended RSA format SSH key)
Add the following parameters to your task:
backend: cryptography
private_key_format: pkcs1
Looking at the docs,
this means that your application depends on OpenSSH < 7.8, because
only those versions created PKCS1 private key files (the ones with
"BEGIN RSA...").
See https://superuser.com/questions/1720991/ for an interesting read on some historical background and rationale.
After reading that you may want to ask questions to your vendor, for example why their application insists on a legacy, less secure format (although the latter only applies to encrypted keys, which you don't seem to be generating).
If it is a key for ssh, then they might also be using specific fields from the ASN.1 structure. This is possible, but then it's not just an ssh key anymore.
Dick
Reply all
Reply to author
Forward
0 new messages