To answer your followup question, if you create your SSH keypair without a password, then you would not need to enter the password to connect the servers.
You would add the pubkey in .authorized_keys according to this paragraph:
Key Access Limits
As an optional step
to limit usage of the public key for
access to any servers, a from
statement can be used before public
key entries in the
~/.ssh/authorized_keys file on the
servers to limit where the client
system is permitted to access the
server from. Without a from limit, any
client system with the appropriate
private key data will be able to
connect to the server from anywhere.
If the keypair should only work when
the client system is connecting from a
host under example.org, set
from="*.example.org" before the public
key data.
server$ cat ~/.ssh/authorized_keys
from="*.example.org" ssh-rsa AAAAB3NzaC1…
In the "from" you would put your local interface IP address(es). Using that plus a combination of using an ssh key without a password (which is not best practices, but for most systems will work fine), will accomplish what you are looking for.
Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server'
, and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent
if you want to try keeping your keys protected with a passphrase.
Best Answer
As suggested above, Ansible can handle this more elegantly with the "--become --become-method=sudo --ask-become-password" options. However, you can, for example, put this in a file called /etc/sudoers.d/puppet (assuming your remote user is called puppet -- the naming is optional but it helps me keep things straight):
This removes the need to type a password and the need for a tty.