reading the key file contents
178 views
Skip to first unread message
Veera
Aug 7, 2023, 7:01:41 AM8/7/23
to Ansible Project
In a playbook , I gathered the user key into the variable "user_key" and using a add_host module to login to the server and execute the required tasks .
- name: Writing the key to a file
ansible.builtin.copy:
content: "{{ user_key }}"
dest: /tmp/new_inst.pem
mode: '0600'
follow: yes
register: keyfile
- name: create a temp inventory
ansible.builtin.add_host:
hostname: '{{ servera }}'
groups: mygroup
ansible_ssh_private_key_file: "{{ keyfile.dest }}"
ansible_ssh_user: "root"
ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
- name: validate the httpd in new hosts
hosts: mygroup
gather_facts: true
become: yes
environment:
ANSIBLE_HOST_KEY_CHECKING: "False"
tasks:
- name: Start service httpd, if not started
service:
name: httpd
state: started
All works fine using the above.
However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like "ansible_ssh_private_key" ??
ansible.builtin.copy:
content: "{{ user_key }}"
dest: /tmp/new_inst.pem
mode: '0600'
follow: yes
register: keyfile
- name: create a temp inventory
ansible.builtin.add_host:
hostname: '{{ servera }}'
groups: mygroup
ansible_ssh_private_key_file: "{{ keyfile.dest }}"
ansible_ssh_user: "root"
ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
- name: validate the httpd in new hosts
hosts: mygroup
gather_facts: true
become: yes
environment:
ANSIBLE_HOST_KEY_CHECKING: "False"
tasks:
- name: Start service httpd, if not started
service:
name: httpd
state: started
All works fine using the above.
However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like "ansible_ssh_private_key" ??
I want to avoid writing the key to a file, chmod 600 and then remove it after execution.
Also , is there a way to read the variable "user_key" when manually feed during the ansible-playbook command , like for the same above codes usage .
# ansible-playbook playbook -e "user_key={{ssh_content}}"
where
ssh_content is a python variable which have the exact key_value details from another program output .
Pierre TOURON
Aug 7, 2023, 1:06:50 PM8/7/23
to Ansible Project
Hi,
Unfortunately, ansible_ssh_private_key_file requires a file and I don't see a proper way to assemble a file from a string in an inline manner. You could probably do some jinja magic to that end, though it won't be very elegant.
I'll try to wrap my head about it a bit more and come back to you if I find something.
As for your second question, are you trying to read ssh_content from a file or stdin ? Here is an example for both scenarios using lookup plugin :
19:02|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ cat ~/TEMP/truc
truc
truc
19:02|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ ansible -c local localhost -m debug -a 'var=foo' -e foo="{{ lookup('file', '~/TEMP/truc') }}"
localhost | SUCCESS => {
"foo": "truc"
}
19:03|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ echo "truc" | ansible -c local localhost -m debug -a 'var=foo' -e foo="{{ lookup('file', '/dev/stdin') }}"
localhost | SUCCESS => {
"foo": "truc"
}
localhost | SUCCESS => {
"foo": "truc"
}
19:03|ptn@BENDER:~/conf (main // U:1 M(u):1) (default)$ echo "truc" | ansible -c local localhost -m debug -a 'var=foo' -e foo="{{ lookup('file', '/dev/stdin') }}"
localhost | SUCCESS => {
"foo": "truc"
}
Dick Visser
Aug 7, 2023, 1:31:59 PM8/7/23
to ansible...@googlegroups.com
Where does this "user_key" originate from?
On Mon, 7 Aug 2023 at 13:03, Veera <svee...@gmail.com> wrote:
>
> In a playbook , I gathered the user key into the variable "user_key" and using a add_host module to login to the server and execute the required tasks .
>
> - name: Writing the key to a file
> ansible.builtin.copy:
> content: "{{ user_key }}"
> dest: /tmp/new_inst.pem
> mode: '0600'
> follow: yes
> register: keyfile
>
>
> - name: create a temp inventory
> ansible.builtin.add_host:
> hostname: '{{ servera }}'
> groups: mygroup
> ansible_ssh_private_key_file: "{{ keyfile.dest }}"
> ansible_ssh_user: "root"
Are you sure this is necessary? What about an unpriviliged user + sudo?
> ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
>
> - name: validate the httpd in new hosts
> hosts: mygroup
> gather_facts: true
> become: yes
> environment:
> ANSIBLE_HOST_KEY_CHECKING: "False"
> tasks:
> - name: Start service httpd, if not started
> service:
> name: httpd
> state: started
>
> All works fine using the above.
> However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like "ansible_ssh_private_key" ??
> I want to avoid writing the key to a file, chmod 600 and then remove it after execution.
Also, I think if you write the key to the filesystem, and then later
remove it, it is not really gone, but merely unlinked.
So that is an extra reason to careful to handle the user's private key
data that way.
> Also , is there a way to read the variable "user_key" when manually feed during the ansible-playbook command , like for the same above codes usage .
>
> # ansible-playbook playbook -e "user_key={{ssh_content}}"
> where ssh_content is a python variable which have the exact key_value details from another program output .
Are you sure you want to use sensitive materials like that? I think
this will leak the content into the shell history, process output etc.
On Mon, 7 Aug 2023 at 13:03, Veera <svee...@gmail.com> wrote:
>
> In a playbook , I gathered the user key into the variable "user_key" and using a add_host module to login to the server and execute the required tasks .
>
> - name: Writing the key to a file
> ansible.builtin.copy:
> content: "{{ user_key }}"
> dest: /tmp/new_inst.pem
> mode: '0600'
> follow: yes
> register: keyfile
>
>
> - name: create a temp inventory
> ansible.builtin.add_host:
> hostname: '{{ servera }}'
> groups: mygroup
> ansible_ssh_private_key_file: "{{ keyfile.dest }}"
> ansible_ssh_user: "root"
> ansible_ssh_extra_args: '-o StrictHostKeyChecking=no'
>
> - name: validate the httpd in new hosts
> hosts: mygroup
> gather_facts: true
> become: yes
> environment:
> ANSIBLE_HOST_KEY_CHECKING: "False"
> tasks:
> - name: Start service httpd, if not started
> service:
> name: httpd
> state: started
>
> All works fine using the above.
> However is there an option to read the content of the key directly , read the contents of the keyfile to the add_host module with something like "ansible_ssh_private_key" ??
> I want to avoid writing the key to a file, chmod 600 and then remove it after execution.
remove it, it is not really gone, but merely unlinked.
So that is an extra reason to careful to handle the user's private key
data that way.
> Also , is there a way to read the variable "user_key" when manually feed during the ansible-playbook command , like for the same above codes usage .
>
> # ansible-playbook playbook -e "user_key={{ssh_content}}"
> where ssh_content is a python variable which have the exact key_value details from another program output .
this will leak the content into the shell history, process output etc.
Brian Coca
Aug 7, 2023, 6:31:02 PM8/7/23
to ansible...@googlegroups.com
You cannot use a string for an ssh key, it is a file as ansible must
pass a file to `ssh` command line client (which does not accept a
string).
If you only have a string, you have to write the string to a file
before the connection starts and remove it once it ends. doing this
securely is not trivial and the reason the ssh connection plugin does
not attempt to do so.
--
----------
Brian Coca
pass a file to `ssh` command line client (which does not accept a
string).
If you only have a string, you have to write the string to a file
before the connection starts and remove it once it ends. doing this
securely is not trivial and the reason the ssh connection plugin does
not attempt to do so.
--
----------
Brian Coca
Veera
Aug 8, 2023, 11:02:20 AM8/8/23
to Ansible Project
Hi all,
Thanks for the valuable inputs and directions .
I was looking for a new approach which I was failing and you all confirmed the best and secure way is to have the key as a file with appropriate permissions . I will be proceeding with the same setup which I already have ..
Reply all
Reply to author
Forward
0 new messages