Creating and distributing ssh keys

Archives Ansible Project
1

Hi List,

I got this little play to create ssh-keys on one set of machine, register that output and then distribute those keys to each other:

- name: Generate root sshkey
  user: >
    name=root
    generate_ssh_key=yes
    ssh_key_bits=4096
    ssh_key_comment="{{ ec2_id }}.{{ ec2_placement }}"
    ssh_key_type=rsa
  register: rootkeys
  tags: cephkeys

- debug: var=rootkeys
  tags: cephkeys

- name: place pubkeys in authorized_keys
  authorized_key: >
    key="{{ item.ssh_public_key }}"
    state=present
    user=root
  with_items: rootkeys
  tags: cephkeys

Unfortunately, the authorized_key modules complains:

TASK: [ceph | place pubkeys in authorized_keys] ******************************* 
fatal: [10.220.226.158] => with_items expects a list or a set
fatal: [10.220.227.224] => with_items expects a list or a set
fatal: [10.220.225.209] => with_items expects a list or a set

FATAL: all hosts have already failed -- aborting

This is how the rootkeys variable looks like:

TASK: [ceph | debug var=rootkeys] ********************************************* 
ok: [10.220.225.209] => {
    "rootkeys": {
        "append": false, 
        "changed": false, 
        "comment": "root", 
        "group": 0, 
        "home": "/root", 
        "invocation": {
            "module_args": "name=root generate_ssh_key=yes ssh_key_bits=4096 ssh_key_comment=\"i-f8f7371f.eu-west-1a\" ssh_key_type=rsa", 
            "module_name": "user"
        }, 
        "move_home": false, 
        "name": "root", 
        "shell": "/bin/bash", 
        "ssh_fingerprint": "4096 7c:24:02:e2:a9:c3:4a:4b:24:71:cd:7a:61:6d:c0:8e /root/.ssh/id_rsa.pub (RSA)", 
        "ssh_key_file": "/root/.ssh/id_rsa", 
        "ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA0h6IMrZqGpn4j1yuSQGakuOHPq6fBCXxqjzXG38+Pv4vsDbRIOHdITW6ZkPIm9/Z7RM52FPCA/c7Fk6BtPj9cDHMoivv54azIbfqRLnoXkBR2/F59UgRb9UQnAJCdYfMQ4Ni/zRAdvialGJFMA2IsSvE8yaIXaHegIpe0CcJzvFdBgpoCGDVfBNY4T9sw5XMCrgSQH5aQAxTz7cPDC+i7QTHRs3LTaxK2zy24+qfMyD7F6gI8At80Tl/xsCrJgrOyDuRiBN6UOXRpILYq+kGavz7CYUp8yjQV3MIzG6qkOhyLs5mOunEMlN2mnag0ChwLgFc5NYlfOVoOFPpSaWpdbyLSt/bnrweJFJwl1xblRCpw1SWl2Yvy9zgfZSPNkeibuePjwgPQccg70/4wDU2LpcixUwl8Ih7doyNWsKXlO2fMGJ12OD/dbVixAq7KyGcmbDeBw7/g3MZy3DTeQaQIOvmwiCfLDjsmZIUJOw2+IM/PnlnitTOcerlThQLmPP7P//Y4HwAYARdLLUNmomGs/1H7rs6+yO0wkyjxpdlgU2Lmm0CJFYLqVqo6RmMIY8Lsxnhb0E9oZ5F2GzyAhZqHmlg4ovjjggX4nhkXJhro/JPlkhRdwVsY82nFNlx1Hpm99jCBYsWbOq9TJwU8EnQr/vqaUi9vWhpPhJ/CEvuppU= i-f8f7371f.eu-west-1a", 
        "state": "present", 
        "uid": 0
    }
}
ok: [10.220.226.158] => {
    "rootkeys": {
        "append": false, 
        "changed": false, 
        "comment": "root", 
        "group": 0, 
        "home": "/root", 
        "invocation": {
            "module_args": "name=root generate_ssh_key=yes ssh_key_bits=4096 ssh_key_comment=\"i-98c5177e.eu-west-1b\" ssh_key_type=rsa", 
            "module_name": "user"
        }, 
        "move_home": false, 
        "name": "root", 
        "shell": "/bin/bash", 
        "ssh_fingerprint": "4096 f2:0d:17:16:71:3c:1d:4d:18:df:10:e8:34:fa:31:cb /root/.ssh/id_rsa.pub (RSA)", 
        "ssh_key_file": "/root/.ssh/id_rsa", 
        "ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAo8sWM+mhf8jcPHgn/AHLy9Jk5tPsUSUW+g6gOhsRpBu88BtDwa6VyIURn8totZYNupEAm4iRV0mWKvFSQ//9s2ME52oWso8yKFUmjmENe10h0OULL1kTG5jK5yCToGWLzbA1ruZ6+xL3xpCs4jtFFRJQERBRrghmryXDKmmoGyQMu3Qt2yzKO/xXHPYZfWQBHEBHjQ0zSnHrSZY4vliWaODrL/NqMZaPuz9OpoBBBjgMgsXY14glF1hHdtwXmAt9Da76hVIYMWa6I/9Mogs4A/apgiz86tpQt7q+UrMTBuSiyEJpJe+GqMnERrCWHyRla9n6UHYmoNsAfqUvFkKcYXmlZMf2FlZFRYwx7D6jl5FtBn7wMpo8r7ulT8j/vyAitbKYd52crDhnndKu345cc7nVZ58/9ESNLQrJ23VhMzH78DOb94yWuGzb6pbjf3cfSfafyZHPMt7Kkdfc963gHa1bAvtv8itaLVQrQXJiu+4w9j4wewYutJ/534iqod0StXDeXqt/8ttt0/Q1Vv2CWiuyAs4bTYAzmxYsIqoMNPeGGACNn9XokMtHZykHMrMdNnhJxqyDjeQbkLBIC3Vvgy7zYVS2rfMwnhXsmNYqWyyuvrQOOlzHm5fl2J0XhLqi5MrbCB500sXkQ6fosO97uk27v35/PhHE5//nEB1d9e0= i-98c5177e.eu-west-1b", 
        "state": "present", 
        "uid": 0
    }
}
ok: [10.220.227.224] => {
    "rootkeys": {
        "append": false, 
        "changed": false, 
        "comment": "root", 
        "group": 0, 
        "home": "/root", 
        "invocation": {
            "module_args": "name=root generate_ssh_key=yes ssh_key_bits=4096 ssh_key_comment=\"i-6f3eeb8b.eu-west-1c\" ssh_key_type=rsa", 
            "module_name": "user"
        }, 
        "move_home": false, 
        "name": "root", 
        "shell": "/bin/bash", 
        "ssh_fingerprint": "4096 c4:2a:6e:f6:b4:ca:7d:20:08:29:c2:9c:8a:c9:6c:ee /root/.ssh/id_rsa.pub (RSA)", 
        "ssh_key_file": "/root/.ssh/id_rsa", 
        "ssh_public_key": "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvju+W2d0XsaiDbJvskEebeYVYhoo/6He+Mvj8dEuqv/xxeLFnbROZMPknsLLBplAMp4N2z+GnSXuGdgOsBHFrQG1f3E/o0pgxjj2izwjQq846Nj8C3sDWjnL7EesPUmPMxMxf85yC8x6mpgRHI6feGU9G1a6hZxn7hq/jIlkn31V8HbYw7gP7rNqkyWyATNNIpmrm7G478ETZv8G7PvvboiUn1Iithpa4+veNT2WmckoGPKkfOGPX7mD/f6gsjEwyTZWtOZA567YLCaT3Nn7awrdoYUF0SAAkDftBllfnu7ERmxRFI8Z9deuOomdGav/mauenJE89N/zy2TbgyA4rqBkl8QkxEG87kNMHhUWD0bK94sJXUcTivecyXEUAW52/qpr/cYtMqPIW9lL3/Zzfq3uR/ExrLo2TjQHiTZAGVIQgBh7jQwDdDbIDbshwMfvff+U5sTejDO5ExQyRhitnV0mAPE2uAXV2hvyo6TgEoui9szbTAZitdw3NRK4bJnGLCsBdDYywn4wailj0ldda6iJa5/KnX8KI4NbpM6rI7a2HAFC1P9SqR+IWDlE5hluoTCeF2fn9gC7SF4lIzAoTvIXXNUok1wfTwQD5bNy1bt94tzoRW5VI2xYCiC0vVxQWfzrUIFOHiOHVT1f5mkEzuFb+WctK5nxK0JrdfkhIE0= i-6f3eeb8b.eu-west-1c", 
        "state": "present", 
        "uid": 0
    }
}

Thanks!
Mark

2

Just to clarify:

I want to create keys on three servers, and then distribute those keys amongst those same three servers.
These servers will be deleted and created every day, and I want the keys to be new every day as well :wink:

The public keys are there, they are available as variables, I just need a way to reference all three of them for each server in turn. (I do not mind that server “a” would receive it’s own public key in authorized_keys as well)

Thanks,
Mark

3

Why not generate the keys on the box you’re running Ansible from and then simply set them up on those three servers with http://docs.ansible.com/authorized_key_module.html ?

4

I’d love to, but I’m getting this message:

fatal: [10.220.226.158] => with_items expects a list or a set fatal: [10.220.227.224] => with_items expects a list or a set
fatal: [10.220.225.209] => with_items expects a list or a set

5

as I see it, based on your input, you have two problems:

  1. you’re creating the users and generating unique keys on each of the target hosts
  2. you’re trying to iterate through the ‘rootkeys’ in a way that will never work for the key parameter.

So, I’d use ‘delegate_to: localhost’ on the user task, then on the authorized_keys task, in the ‘with_items’ you would use rootkeys.ssh_public_key to access the keys.

6

as I see it, based on your input, you have two problems:

  1. you’re creating the users and generating unique keys on each of the target hosts

Correct, and that’s what I’m trying to get.

  1. you’re trying to iterate through the ‘rootkeys’ in a way that will never work for the key parameter.

Ah yes, something that is re-occuring with ansible for me :wink: it’s not always clear how to reference variables, sometimes with value.something, other times wit set.something, with_dict, with_flattened,etc not very clear…
No matter, just learing I guess but the variables with the correct data is obviously there, I just need the correct syntax I would think?

So, I’d use ‘delegate_to: localhost’ on the user task, then on the authorized_keys task, in the ‘with_items’ you would use rootkeys.ssh_public_key to access the keys.

But then all the keys would be the same right? Not what I would want in this case.

7

`

8

AAAH! Ofcourse!

I need to reference the hostvars again!

Thanks!

Djeez, of all things ansible, the different ways or creating and referencing variables is by far the one I struggle with the most :wink:

Thanks!
Mark