automated sshkey distribution to known_hosts
1,933 views
Skip to first unread message
Kesten Broughton
Oct 30, 2013, 12:24:17 PM10/30/13
to ansible...@googlegroups.com
I'd like to know what the best practice is for achieving passwordless logins BETWEEN ansible managed hosts.
I have wrapped the user module with a playbook that creates sudo priveleged users.
The authorized_keys module can be used to populate ~/.ssh/authorized_keys but I need the same for ~/.ssh/known_hosts
My use case is creating a hadoop cluster. To issue map-reduce jobs, the master node must have passwordless ssh login access to the slaves.
I want to be able to spin up and tear down spot clusters so this must be automated.
Here is the rough work i've been working on. Currently I pass in 'user' and 'pwd' via --extra-vars, but will likely switch to vars_prompt or something with pycrypto salting for production.
more complete gist https://gist.github.com/darKoram/7235534
- hosts: all
sudo: true
tasks:
- name: Make sure the user {{user}} exists
user: name=ansibler groups=sudo generate_ssh_key=yes shell=/bin/bash
tags: ansibler
- name: Make sure the 'ansibler' RSA SSH key is installed
authorized_key: user={{user}} key="{{ lookup('file', 'ansible_rsa.pub') }}"
tags: ansibler
- name: Make sure sudoers contains NOPASSWD for sudo group
shell: "creates=/etc/sudoers.bak chdir=/etc cp sudoers sudoers.bak && sed -ri -e 's/(%sudo\\s+ALL=\\(ALL:ALL\\))\\s+ALL/\\1 NOPASSWD: ALL/' /etc/sudoers"
#TODO replace this with proper visudo as in lynx-ansible/playbooks/utils/sudo_adduser.yml
- name: In case generate_ssh_key fails, do it manually
shell: creates=/home/{{user}}/.ssh/id_rsa
ssh-keygen -f /home/{{user}}/.ssh/id_rsa -t rsa -N ''
# sshpass method
- name: Copy the user pwds to hosts
copy: content={{pwd}} dest="/home/{{user}}/.ssh/{{user}}_pwd"
- name: Use sshpass to distribute keys
shell: sshpass -f /home/{{user}}/.ssh/{{user}}_pwd ssh -o StrictHostKeyChecking=no {{user}}@{{item}}
with_items: groups['all']
# This hangs forever
#TODO This should work, but does not
#################
# - name: Set StrictHostKeyChecking no in ~/.ssh/config
# lineinfile: create=yes dest="/home/{{user}}/.ssh/config"
# regexp=StrictHostKeyChecking
# line="StrictHostKeyChecking no"
# - name: Set up passwordless ssh between nodes
# command: ssh-copy-id {{user}}@{{item}}
# with_items: groups['all']
##################
Brian Coca
Oct 30, 2013, 3:13:41 PM10/30/13
to ansible...@googlegroups.com
I use this to populate /etc/ssh/ssh_known_hosts, this won't scale to thousands but it works well with a few dozen
Kesten Broughton
Oct 30, 2013, 5:38:55 PM10/30/13
to ansible...@googlegroups.com
thanks. it works for me.
I had to add the following:
- name: Set StrictHostKeyChecking no in ~/.ssh/config
lineinfile: create=yes dest="/home/{{user}}/.ssh/config"
regexp=StrictHostKeyChecking
line="StrictHostKeyChecking no"
owner={{user}}
group={{user}}
mode=0644
On Wed, Oct 30, 2013 at 2:13 PM, Brian Coca <bria...@gmail.com> wrote:
I use this to populate /etc/ssh/ssh_known_hosts, this won't scale to thousands but it works well with a few dozenhttps://github.com/bcoca/ansible-pb/blob/master/known_hosts.yml
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/iZYhWeP7JSU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages