Ansible – Adding SSH Keys with AuthorizedKeysFile Set

ansiblessh

How can I get Ansible to populate the correct file when my /etc/ssh/sshd_config has AuthorizedKeysFile set to /etc/ssh/authorized_keys/%u? Ansible seems to ignore the setting and places keys in $HOME/.ssh/authorized_keys

playbook:

---
- hosts: all
  vars:
  vars_files:
    - ../group_vars/ssh_root_authorized_keys.yml
  gather_facts: false

  tasks:
    - name: Set up multiple authorized keys
      authorized_key:
        user: root
        state: present
        key: '{{ item.key }}'
      with_items: "{{ root_auth_keys }}"

ssh_root_authorized_keys.yml

root_auth_keys:
  - name: backup@host
    key : "{{ lookup('file', '../group_vars/pubkeys/[email protected]') }}"

  - name: nagios@host
    key : "{{ lookup('file', '../group_vars/pubkeys/[email protected]') }}"

Best Answer

From the documentation:

path: Alternate path to the authorized_keys file

  tasks:
    - name: Set up multiple authorized keys
      authorized_key:
        user: root
        state: present
        key: '{{ item.key }}'
        path: '/etc/ssh/authorized_keys/root'
      with_items: "{{ root_auth_keys }}"

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Ssh – Any reason sshd_config can not be set to an authorized_keys file not in home

First of all, in such conditions I always try to have my logs maxed by starting custom undaemonized sshd:

sshd -d -p 11122 -f /new/config/file

And trying connecting to it:

ssh -v -p 11122 this.host

This makes your current configuration safe and gives you all info about how connection was established.

And now comes a wild guess. sshd will require keyfiles to be:

Reachable and readable by server.
Writable only by user. And this means all folders (/var, /var/lib, and so on) should not be writable by any user or group besides root, wheel, and user that logs in.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Ssh – Any reason sshd_config can not be set to an authorized_keys file not in home

Related Topic