Linux – How to remember/cache or specify private key passphrase for Ansible

ansibleconfiguration-managementlinuxredhatssh

Just starting out with Ansible, I have set up an Asible user on the client machine and created a set of keys from OpenSSL. I am running Ansible under my own account. I have specified the user and private key file in the Ansible configuration. I want the remote commands to run as this user and this user to sudo to do commands requiring elevation.

/etc/ansible/ansible.cfg

private_key_file = /etc/ansible/pka/confman.crt
remote_user = confman

Commands such as this do not ask for passphrases after initial entry of passphrase:

ansible all -m ping

The following prompt for a passphrase every time I run them:

ansible all -m ping -b
Enter passphrase for key '/etc/ansible/private_keys/confman.crt':
(success)

ansible all -m ping --sudo
Enter passphrase for key '/etc/ansible/private_keys/confman.crt':
(success)

ansible all -a "cat /etc/redhat-release"
Enter passphrase for key '/etc/ansible/private_keys/confman.crt':
(success)

Why?

Is there any way to set the passphrase? Is there a more secure way? I plan to run ansible remotely and via cron and via other automation tools where entering a passphrase is not an option.

As context, I have never needed to SSH between Linux servers, always from a Windows machine using tools such as putty, RoyalTS and mRemoteNG so my ssh knowledge is… sparse. I assume I am missing something obvious.

Best Answer

The feature is called ssh-agent:

$ eval `ssh-agent`  # you might have agent already running so this might not be needed
$ ssh-add /etc/ansible/private_keys/confman.crt

now ansible should be able to find the key in agent and authenticate without asking for passphrase every time. From: Documentation: Your first commands

Related Solutions

SSH – How to Change Private Key Passphrase

To change the passphrase on your default key:

$ ssh-keygen -p

If you need to specify a key, pass the -f option:

$ ssh-keygen -p -f ~/.ssh/id_dsa

then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa if you have an RSA key.)

More details from man ssh-keygen:

[...]
SYNOPSIS
    ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
               [-f output_keyfile]
    ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
[...]
     -f filename
             Specifies the filename of the key file.
[...]
     -N new_passphrase
             Provides the new passphrase.

     -P passphrase
             Provides the (old) passphrase.

     -p      Requests changing the passphrase of a private key file instead of
             creating a new private key.  The program will prompt for the file
             containing the private key, for the old passphrase, and twice for
             the new passphrase.
[...]

Git for Windows – How to Tell Git Where to Find Private RSA Key

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.