Automating Remote Resource Management with Ansible and Public-Key Authentication
As a lazy sysadmin, I rely heavily on tools like Ansible to automate repetitive tasks and make my life easier. One such task is managing remote resources, which can be time-consuming and error-prone if done manually. In this blog post, we’ll explore how to set up a newly deployed VM in our lab environment to be usable by Ansible+public-key authentication.
SSH Public Key Authentication
—————————-
Ansible uses SSH to connect to remote resources, and public key authentication is a great way to enhance security and avoid using passwords. When you connect to a remote server using SSH, you need to trust the key provided by the server. It’s essential to check the fingerprint of the key before accepting it, especially in highly secure environments.
To retrieve the fingerprint, you can use the `ssh-keygen -l` command. In cloud instances using cloud-init, the fingerprints of keys generated during instance deployment are commonly available in the console logs, which can help you retrieve them for comparison.
Removing and Adding Keys with Ansible
————————————–
To remove existing keys from the known hosts file and add new ones based on the result of a `ssh-keyscan`, we can use the following Ansible tasks:
“`yaml
—
– name: Remove and add SSH keys
hosts: all
become: true
tasks:
– name: Remove existing keys
shell: “ssh-keyscan -t rsa,dsa,ecdsa,ed25519
– name: Add new keys
shell: “ssh-keyscan -t rsa,dsa,ecdsa,ed25519
“`
These tasks use the `ssh-keyscan` command to retrieve the list of available keys for a specific server, and then remove any existing keys using the `ssh-keygen -R` command. Finally, they add new keys using the `ssh-keygen -a` command.
Authenticating Users with Public Keys
————————————-
We can also use SSH public keys to authenticate users against a server. In cloud instances using cloud-init, it is possible to provide public keys to store on the instance at deployment. In that case, public key authentication is immediately available on the server. If you don’t use a cloud-init based clone or server creation, you can use an Ansible playbook to push keys to the target server.
Here’s a quick explanation of the process:
“`yaml
—
– name: Add user public key to authorized_keys
hosts: all
become: true
tasks:
– name: Copy public key
copy:
content: “{{ lookup(‘file’, ‘path/to/public_key’) }}”
dest: “/home/ansible/.ssh/authorized_keys”
“`
This task copies the public key from a file to the `authorized_keys` file in the home directory of the Ansible user. Once the key is pushed to the server, you can use it as an authentication mechanism for Ansible instead of passwords.
Disabling Password Expiration and Shell Idle Timeout
—————————————————
When using editor’s appliance (like VMware’s ones), you may need to reconfigure the password expiration for the root account. For lab and testing purposes, I fully disable the expiration policy with the following tasks:
“`yaml
—
– name: Disable password expiration
hosts: all
become: true
tasks:
– name: Edit /etc/ssh/sshd_config
lineinfile:
content: “PasswordAuthentication yes”
path: /etc/ssh/sshd_config
“`
This task edits the `sshd_config` file to disable password expiration. Please note that this is not recommended for production environments, as it can increase security risks.
Finally, we can disable the shell idle timeout for the root account using the following task:
“`yaml
—
– name: Disable shell idle timeout
hosts: all
become: true
tasks:
– name: Edit /etc/security/limits.conf
lineinfile:
content: “root soft noexec limit”
path: /etc/security/limits.conf
“`
This task edits the `limits.conf` file to disable the shell idle timeout for the root account.
Conclusion
———-
In this blog post, we explored how to set up a newly deployed VM in our lab environment to be usable by Ansible+public-key authentication. We discussed how to remove and add SSH keys, authenticate users with public keys, disable password expiration, and disable shell idle timeout. Please note that most of the tasks described in this post may affect the security of the target environment, so use them with caution.