Ssh – ansible ssh connections with two factor auth

ansiblepasswordSecuritysshssh-keys

I'm setting ansible to manage a whole farm of servers. My approach is the following:

Allow a user to connect to all servers protecting his connections with a heavy RSA key, passphrase protected, and user password.

In order to automate as much as possible the process I would like to pass the RSA passphrase and the user password in a vault file or an encrypted string.

When I'm testing (passing the passwords manually) with just a ping to a test server if I set up in client both authentication methods (publickey + user password), I'm prompted for RSA passphrase but no password, and obviously the execution of the playbook fails.

If i just set up user password as authentication method the playbook is executed normally.

If i just set up RSA key with it's passphrase authentication the job does not end, this the output I've had in my screen for at least 30 minutes (time for research, coffee, ..)

PLAY [all] ******************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************
Enter passphrase for key '/home/users/<user_name>/.ssh/id_rsa': 
ok: [<test_server_ip_address>]

TASK [include vars] *********************************************************************************************************************************************************
ok: [<test_server_ip_address>]

TASK [test connection] ******************************************************************************************************************************************************

And anything else.

The playbook that I'm trying to execute is this one

---
- hosts: all
  tasks:
    - name: test connection
      ping:

And the command to execute the playbok the next one:

ansible-playbook -i ansible_hosts/test_hosts.yml playbooks/ping.yml

The content of test_host.yml :

all:
  hosts:
    <test_server_ip_address>

My question is:

Is it possible to set up double factor authentication for ansible? An if yes, can anyone redirect me in the right direction please?

Best Answer

I doubt you can use ssh key's passphrase from Ansible vault, but the general 2-factor workflow is as follows:

On the server side, enable 2-factor Auth with

AuthenticationMethods "publickey,password"

in sshd_config.

On the client side (Ansible):

Setup ssh-agent, add password protected key to agent when connection is required
Define ansible_password in Ansible vault for every host
Run playbook

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Git for Windows – How to Tell Git Where to Find Private RSA Key

For Git Bash

For TortoiseGit

Ssh – How to automate SSH login with password

Related Topic