validate a file's content and reporting
25 views
Skip to first unread message
Ask 21
Sep 6, 2017, 6:43:21 AM9/6/17
to Ansible Project
Hi everybody,
does anybody know what will be the best approach to read and validate a remote-files content?
background: I'm managing linux servers with ansible and have to validate on hundrets of linux servers if any user with sudo permission has changed the content of /root/.ssh/authorized_keys2.
There shouldn't be any public keys inside, just two which are known and are allowed login as root.
I didn't created a playbook yet because i don't know which way/module will be best - is there any option like using a "negotiate" lineinfile operation or maybe using shell/fetch and doing a diff with a template authorized_keys2 file?
What do you think - how will you challenge this?
Thanks
Stefan
does anybody know what will be the best approach to read and validate a remote-files content?
background: I'm managing linux servers with ansible and have to validate on hundrets of linux servers if any user with sudo permission has changed the content of /root/.ssh/authorized_keys2.
There shouldn't be any public keys inside, just two which are known and are allowed login as root.
I didn't created a playbook yet because i don't know which way/module will be best - is there any option like using a "negotiate" lineinfile operation or maybe using shell/fetch and doing a diff with a template authorized_keys2 file?
What do you think - how will you challenge this?
Thanks
Stefan
Cev Ing
Sep 6, 2017, 8:08:54 AM9/6/17
to Ansible Project
Am Mittwoch, 6. September 2017 12:43:21 UTC+2 schrieb Ask 21:
I didn't created a playbook yet because i don't know which way/module will be best - is there any option like using a "negotiate" lineinfile operation or maybe using shell/fetch and doing a diff with a template authorized_keys2 file?
I have a vault file containing all ssh keys and then I use the authorized_key module to manage the keys.
But you can use also the copy module to make sure that the remote file has the required content.
Dick Visser
Sep 6, 2017, 10:53:20 AM9/6/17
to ansible...@googlegroups.com
As said the authorized_key module is a good approach.
I wouldn't use a vault because they're public keys, which are, well, public.
And from what you tell you should probably use the 'exclusive' parameter.
And finally use '--check' to only get a report on what hosts have
their authorized_keys2 file changes.
BTW the default file is authorized_keys, so you;d have to configure a
custom 'path' parameter as well.
Note that depending on your sshd configuration, people might have left
authorized_keys2 intact, and added authorized_key file.
So I think you should also take that into account, but this probably
requires some more logic.
Dick
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/dfe3a446-b885-4fe5-946a-e680b8e4c568%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
I wouldn't use a vault because they're public keys, which are, well, public.
And from what you tell you should probably use the 'exclusive' parameter.
And finally use '--check' to only get a report on what hosts have
their authorized_keys2 file changes.
BTW the default file is authorized_keys, so you;d have to configure a
custom 'path' parameter as well.
Note that depending on your sshd configuration, people might have left
authorized_keys2 intact, and added authorized_key file.
So I think you should also take that into account, but this probably
requires some more logic.
Dick
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/dfe3a446-b885-4fe5-946a-e680b8e4c568%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
--
Dick Visser
GÉANT
Want to join us? We're hiring: https://www.geant.org/jobs
Ask 21
Sep 7, 2017, 3:22:40 AM9/7/17
to Ansible Project
Thanks to all,
i wasn't searching for authorized_key module but as Dick said - check is the option i prefer.
Also thanks for the hint about authorized_keys - still found some servers where users added their key in that file.
regards
Stefan
i wasn't searching for authorized_key module but as Dick said - check is the option i prefer.
Also thanks for the hint about authorized_keys - still found some servers where users added their key in that file.
regards
Stefan
Am Mittwoch, 6. September 2017 12:43:21 UTC+2 schrieb Ask 21:
Reply all
Reply to author
Forward
0 new messages