I’d like to know what the best practice is for achieving passwordless logins BETWEEN ansible managed hosts.
I have wrapped the user module with a playbook that creates sudo priveleged users.
The authorized_keys module can be used to populate ~/.ssh/authorized_keys but I need the same for ~/.ssh/known_hosts
My use case is creating a hadoop cluster. To issue map-reduce jobs, the master node must have passwordless ssh login access to the slaves.
I want to be able to spin up and tear down spot clusters so this must be automated.
Here is the rough work i’ve been working on. Currently I pass in ‘user’ and ‘pwd’ via --extra-vars, but will likely switch to vars_prompt or something with pycrypto salting for production.
more complete gist https://gist.github.com/darKoram/7235534
-
hosts: all
sudo: true
tasks: -
name: Make sure the user {{user}} exists
user: name=ansibler groups=sudo generate_ssh_key=yes shell=/bin/bash
tags: ansibler -
name: Make sure the ‘ansibler’ RSA SSH key is installed
authorized_key: user={{user}} key=“{{ lookup(‘file’, ‘ansible_rsa.pub’) }}”
tags: ansibler -
name: Make sure sudoers contains NOPASSWD for sudo group
shell: “creates=/etc/sudoers.bak chdir=/etc cp sudoers sudoers.bak && sed -ri -e ‘s/(%sudo\s+ALL=\(ALL:ALL\))\s+ALL/\1 NOPASSWD: ALL/’ /etc/sudoers”
#TODO replace this with proper visudo as in lynx-ansible/playbooks/utils/sudo_adduser.yml -
name: In case generate_ssh_key fails, do it manually
shell: creates=/home/{{user}}/.ssh/id_rsa
ssh-keygen -f /home/{{user}}/.ssh/id_rsa -t rsa -N ‘’
sshpass method
http://stackoverflow.com/questions/12202587/ssh-script-that-automatically-enters-password
-
name: Copy the user pwds to hosts
copy: content={{pwd}} dest=“/home/{{user}}/.ssh/{{user}}_pwd” -
name: Use sshpass to distribute keys
shell: sshpass -f /home/{{user}}/.ssh/{{user}}_pwd ssh -o StrictHostKeyChecking=no {{user}}@{{item}}
with_items: groups[‘all’]
This hangs forever
#TODO This should work, but does not