I’m working on a possebility to manage different ssh public keys to different servers. I try to accomplish that with the most efficient and automated solution. My problem is that i want to lookup the files directly with a loop variable. Therefore I use the lookup plugin logically. But I want the keys I choose to be the only ones in the authorized_keys file on the remote machine. So is there a chance to use the exclusive parameter of the authorized keys module with a loop variable which uses the lookup module?
If you are using 1.9, there is a “exclusive” parameter that I believe makes exactly what you want, although it will force you into some extra work if you want multiple allowed keys
@esco This wouldn’t manage the different users on the remote systems
@Javier It does not exactly what I want, cause the last key in the loop is the one who becomes exclusive so none of the others will be in the authorized_keys file. I need an option for keeping all keys and only those which i choose to be the ones.
What about a parameterised role that takes the user name, then you
“copy:” a public key (nested under e.g. your-role/files/home/{{ user }}/.ssh/pubkey) up to /home/{{ user }}/.ssh/authorized_keys
you can use that sort of role with with_items or similar to provision all the users you want to a given group of hosts pretty easily, there’s no need for lookups as you already have the file to hand.
I have a server on which this playbook will be executed. There is a directory on this server on which all public keys of all computers in the network will be stored in single keyfiles. I edit a variable which provides a list of the users who will have access with there keys on the assigned servers. And the users in this list should be the only keys in the remote auth_keys file. But there has to be more than one key in every key parameter of the authorized_key module. Since the exclusive parameter uses the last given file in the loop var I sort of have to stack the keys together in maby a variable or a file or something. this “stacking” together is my problem all other problems are solved. i hope that I made my problem more clear
I think you should take a look at the authorized_keys module again – you can pass multiple keys to a single invocation when using the exclusive option which will enforce that exactly and only the list of keys you supplied are in the specified authorized_keys file.
