automated sshkey distribution to known_hosts

Archives Ansible Project
1

I’d like to know what the best practice is for achieving passwordless logins BETWEEN ansible managed hosts.
I have wrapped the user module with a playbook that creates sudo priveleged users.
The authorized_keys module can be used to populate ~/.ssh/authorized_keys but I need the same for ~/.ssh/known_hosts

My use case is creating a hadoop cluster. To issue map-reduce jobs, the master node must have passwordless ssh login access to the slaves.
I want to be able to spin up and tear down spot clusters so this must be automated.

Here is the rough work i’ve been working on. Currently I pass in ‘user’ and ‘pwd’ via --extra-vars, but will likely switch to vars_prompt or something with pycrypto salting for production.
more complete gist ssh password strategy for populating known_hosts so remote hosts can access each other. This assumes we already have an ansible controller with paswordless loging from it to each remote host. We are trying to add passwordless logins BETWEEN the remote hosts. · GitHub

  • hosts: all
    sudo: true
    tasks:

  • name: Make sure the user {{user}} exists
    user: name=ansibler groups=sudo generate_ssh_key=yes shell=/bin/bash
    tags: ansibler

  • name: Make sure the ‘ansibler’ RSA SSH key is installed
    authorized_key: user={{user}} key=“{{ lookup(‘file’, ‘ansible_rsa.pub’) }}”
    tags: ansibler

  • name: Make sure sudoers contains NOPASSWD for sudo group
    shell: “creates=/etc/sudoers.bak chdir=/etc cp sudoers sudoers.bak && sed -ri -e ‘s/(%sudo\s+ALL=\(ALL:ALL\))\s+ALL/\1 NOPASSWD: ALL/’ /etc/sudoers”
    #TODO replace this with proper visudo as in lynx-ansible/playbooks/utils/sudo_adduser.yml

  • name: In case generate_ssh_key fails, do it manually
    shell: creates=/home/{{user}}/.ssh/id_rsa
    ssh-keygen -f /home/{{user}}/.ssh/id_rsa -t rsa -N ‘’

sshpass method

http://stackoverflow.com/questions/12202587/ssh-script-that-automatically-enters-password

  • name: Copy the user pwds to hosts
    copy: content={{pwd}} dest=“/home/{{user}}/.ssh/{{user}}_pwd”

  • name: Use sshpass to distribute keys
    shell: sshpass -f /home/{{user}}/.ssh/{{user}}_pwd ssh -o StrictHostKeyChecking=no {{user}}@{{item}}
    with_items: groups[‘all’]

This hangs forever

#TODO This should work, but does not

2

I use this to populate /etc/ssh/ssh_known_hosts, this won’t scale to thousands but it works well with a few dozen

https://github.com/bcoca/ansible-pb/blob/master/known_hosts.yml

3

thanks. it works for me.

I had to add the following:

  • name: Set StrictHostKeyChecking no in ~/.ssh/config
    lineinfile: create=yes dest=“/home/{{user}}/.ssh/config”
    regexp=StrictHostKeyChecking
    line=“StrictHostKeyChecking no”
    owner={{user}}
    group={{user}}
    mode=0644