I'm trying to re-generate ssh host keys on a handful of remote servers via ansible (and ssh-keygen
), but the files don't seem to be showing up. The playbook runs OK, but the files on the remote are not altered.
I need to resort to the echo -e
hackery since these remotes are running Ubuntu 14.04 and haven't the correct version of the python-pexpect
available (according to ansible).
What am I missing? My playbook and output are below:
playbook
---
- hosts: all
become: true
gather_facts: false
tasks:
- name: Generate /etc/ssh/ RSA host key
command : echo -e 'y\n'|ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""
register: output
- debug: var=output.stdout_lines
- name: Generate /etc/ssh/ DSA host key
command : echo -e 'y\n'|ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C "" -N ""
register: output
- debug: var=output.stdout_lines
- name: Generate /etc/ssh/ ECDSA host key
command : echo -e 'y\n'|ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C "" -N ""
register: output
- debug: var=output.stdout_lines
output
$ ansible-playbook ./playbooks/ssh-hostkeys.yml -l myhost.mydom.com,
SUDO password:
PLAY [all] **********************************************************************************************
TASK [Generate /etc/ssh/ RSA host key] ******************************************************************
changed: [myhost.mydom.com]
TASK [debug] ********************************************************************************************
ok: [myhost.mydom.com] => {
"output.stdout_lines": [
"y",
"|ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C -N "
]
}
TASK [Generate /etc/ssh/ DSA host key] ******************************************************************
changed: [myhost.mydom.com]
TASK [debug] ********************************************************************************************
ok: [myhost.mydom.com] => {
"output.stdout_lines": [
"y",
"|ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C -N "
]
}
TASK [Generate /etc/ssh/ ECDSA host key] ****************************************************************
changed: [myhost.mydom.com]
TASK [debug] ********************************************************************************************
ok: [myhost.mydom.com] => {
"output.stdout_lines": [
"y",
"|ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C -N "
]
}
PLAY RECAP **********************************************************************************************
myhost.mydom.com : ok=6 changed=3 unreachable=0 failed=0
Best Answer
As far as I know the only reason why you would need to pipe a 'y' to ssh-keygen, is if your command is replacing an existing file. In my opinion this is not a good way to do something from a configuration management tool.
You should adjust your tasks to make them idempotent. Specifically if you add the
creates: filename
to your command, then the new keys will only be created when they don't already exist, instead of being replaced each time you run that playbook.If for some reason you wanted to replace those keys for example if they were too old or something you might want to add another task to remove them. Here is a simple delete
If you wanted to delete files generated before a certain time, you could use the stat module to retrieve details about this files, and setup
when
conditions to selectively remove them if they were older then a certain date or something.