Help with the "authorized_key" Modul

[Yaniv Ferszt]

Hi,

I am just starting to learn ansible and have a question regarding the "authorized_key" Modul.

what i am trying to accomplish is add multiple ssh public keys to a remote systems root user.


in the documentation http://docs.ansible.com/authorized_key_module.html

i see that i need something like this

# Using with_file
- name: Set up authorized_keys for the deploy user
  authorized_key: user=deploy
                  key="{{ item }}"
  with_file:
    - public_keys/doe-jane
    - public_keys/doe-john


so i created a playbook "ssh-keys.yml" with this contend
---

- name: "Set up authorized_keys for the root user"
  hosts: testvms
  user: root

  tasks:
- name: Set up authorized_keys for the root user
  authorized_key: user=root
                  key="{{ item }}"
  with_file:
    - /path/to/pub-key/user-a
    - /path/to/pub-key/user-b

i receive the following error running this playbook
# ansible-playbook -v ssh-keys.yml         
ERROR: with_file is not a legal parameter in an Ansible Playbook


OS Information
ansible server
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)

# ansible-playbook --version
ansible-playbook 1.5


any idea what i did wrong?

[Marc Patermann]

Yaniv,

Yaniv Ferszt schrieb (21.02.2014 13:45 Uhr):

> I am just starting to learn ansible and have a question regarding the
> "authorized_key" Modul.
>
> what i am trying to accomplish is add multiple ssh public keys to a
> remote systems root user.

I used copy and assemble to achieve this.
First I copy a directory "keys" containing the individual keys to ~/.ssh/.
Second I assemble all the files in this directory in the authozied_keys
file.


Marc

[Strahinja Kustudić]

I think that your only problem is indentation, you have to be careful with it. I used your code and added indentation:

---

- name: "Set up authorized_keys for the root user"

  hosts: testvms

  user: root

  tasks:

  - name: Set up authorized_keys for the root user

    authorized_key: user=root key="{{ item }}"

    with_file:

      - /path/to/pub-key/user-a

      - /path/to/pub-key/user-b

Also I'm not sure what user: root exactly does in a playbook, I know there is an option remote_user: which sets the user which will run the playbook and it's root by default, so you can remove that line probably.

[Brian Coca]

user: root, sets the user you login as remotely to root. user has been deprecated in favor of the more explicit remote_user: but they are the same (consider it an alias), it can also be set by the inventory variable ansible_ssh_user.

[Yaniv Ferszt]

I think that your only problem is indentation, you have to be careful with it. I used your code and added indentation:

 thanks. i used your corrected code and i did not receive the error again.


but now something else is happening. if i run this code only the second ssh public key stays in the authorized_keys file.
its placing user-a public key and then replacing it with the public key from user-b.

[Yaniv Ferszt]

even if i try it with this code

---
- name: "Set up authorized_keys for the root user"

  hosts: laptop
  user: root

  tasks:
  - name: Set up user-a authorized_keys for the root user
    authorized_key: user=root key="{{ lookup('file', '/home/yaniv/playbooks/public-keys/user-a') }}" state=present
  - name: Set up user-b authorized_keys for the root user
    authorized_key: user=root key="{{ lookup('file', '/home/yaniv/playbooks/public-keys/user-b') }}" state=present


it will add user-a public key and then replace it with user-b public key.
should this happen?

[Strahinja Kustudić]

What version of Ansible are you using? For me authorized_keys module only adds new keys, it doesn't replace them, so that shouldn't happen, even though I would like to have an option to remove all previouse keys before adding new ones.

[Yaniv Ferszt]

Am Samstag, 22. Februar 2014 14:48:19 UTC+1 schrieb Strahinja Kustudić:

What version of Ansible are you using? For me authorized_keys module only adds new keys, it doesn't replace them, so that shouldn't happen, even though I would like to have an option to remove all previouse keys before adding new ones.

the latest from git (today)
[yaniv@yfhv1 playbooks]$ ansible --version
ansible 1.5

[Yaniv Ferszt]

actually what is happening it reminds me of a puppet feature where you can manage the content of a file.
but i did not expect this from the ansible "authorized_keys" Module.

[Strahinja Kustudić]

I'm using 1.4.4 and it is not doing that, it is only appending new keys to the current ones. Maybe something was changed in 1.5. Could you try 1.4.5?

[Yaniv Ferszt]

I'm using 1.4.4 and it is not doing that, it is only appending new keys to the current ones. Maybe something was changed in 1.5. Could you try 1.4.5?

same behaviour with version 1.4.5

[yaniv@yfhv1 playbooks]$ ansible-playbook --version
ansible-playbook 1.4.5

here are the playbooks i have tested

1.
[yaniv@yfhv1 playbooks]$ cat ssh-keys.yml

---
- name: "Set up authorized_keys for the root user"
  hosts: laptop
  user: root

  tasks:

  - name: Set up authorized_keys for the root user
    authorized_key: user=root key="{{ item }}"
    with_file:
      - /home/yaniv/playbooks/public-keys/user-a
      - /home/yaniv/playbooks/public-keys/user-b

only the key from user-b stays in the authorized_keys file. even if i run it multiple times.

2.
[yaniv@yfhv1 playbooks]$ cat ssh-test.yml

---
- name: "Set up authorized_keys for the root user"
  hosts: laptop
  user: root
  tasks:
  - name: Set up user-a authorized_keys for the root user
    authorized_key: user=root key="{{ lookup('file', '/home/yaniv/playbooks/public-keys/user-a') }}" state=present
  - name: Set up user-b authorized_keys for the root user
    authorized_key: user=root key="{{ lookup('file', '/home/yaniv/playbooks/public-keys/user-b') }}" state=present

same as before only the key from user-b stays in the authorized_keys file.

3.
separated playbooks for every user same result. only the last executed playbook is left in the authorized_keys file.

[yaniv@yfhv1 playbooks]$ cat ssh1-test.yml

---
- name: "Set up authorized_keys for the root user"
  hosts: laptop
  user: root
  tasks:
  - name: Set up user-a authorized_keys for the root user
    authorized_key: user=root key="{{ lookup('file', '/home/yaniv/playbooks/public-keys/user-a') }}" state=present

[yaniv@yfhv1 playbooks]$ cat ssh2-test.yml

---
- name: "Set up authorized_keys for the root user"
  hosts: laptop
  user: root
  tasks:

[Strahinja Kustudić]

I just tried your first playbook on 1.4.4 and it added both keys to the authorized_keys file. Are you sure that those keys are different files? Maybe you made a mistake an copied one key to another?

[Yaniv Ferszt]

i just confirmed that i made a mistake and tested it with every version since 1.4.4 and it is working.

what i did was taking 1 ssh public key made a copy and changed inside the name at the end (user-a --> user-b). was thinking it would handle it as a different key.

not working example
user-a public key

cat usera.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAybrGnaPXZJ9LeTVO664PsrybLm5HPuwjOwhz+7+CQbKTqqk9OxL83gQDToCm55XT+6FUcNC1Yxs73Wymt5AetTAGBHKBpXknn1kMe/TFxb0rcF+W1e/LKciO0vjMAi+IyLFMwRiKE7IGUAR0P3eZxrz3TIhrZc+DzQupbCWdAVTAtneHfi5VAh3wg2CCx35SaLpNYZCbaYVTTvj7YjL7R3fkP2zEPTeJxoy7L+NOzSPShwGtMsFqxJTN6up4Y5sVfAAGqNQtGEDDfS0dd0sueg2OwY9KUk6iqE9GE2wPWbYHtNn+bfupAQvaOK1nSh6r2wgiZyd5x5qYaGPzabe8oQ== user-a

user-b public key
cat userb.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAybrGnaPXZJ9LeTVO664PsrybLm5HPuwjOwhz+7+CQbKTqqk9OxL83gQDToCm55XT+6FUcNC1Yxs73Wymt5AetTAGBHKBpXknn1kMe/TFxb0rcF+W1e/LKciO0vjMAi+IyLFMwRiKE7IGUAR0P3eZxrz3TIhrZc+DzQupbCWdAVTAtneHfi5VAh3wg2CCx35SaLpNYZCbaYVTTvj7YjL7R3fkP2zEPTeJxoy7L+NOzSPShwGtMsFqxJTN6up4Y5sVfAAGqNQtGEDDfS0dd0sueg2OwY9KUk6iqE9GE2wPWbYHtNn+bfupAQvaOK1nSh6r2wgiZyd5x5qYaGPzabe8oQ== user-b


so i generated a new key pair and gave user-b a new public key and it works.
sorry for all that trouble and thanks for the help.

[Strahinja Kustudić]

Glad you found the problem :)