does anybody know what will be the best approach to read and validate a remote-files content?
background: I’m managing linux servers with ansible and have to validate on hundrets of linux servers if any user with sudo permission has changed the content of /root/.ssh/authorized_keys2.
There shouldn’t be any public keys inside, just two which are known and are allowed login as root.
I didn’t created a playbook yet because i don’t know which way/module will be best - is there any option like using a “negotiate” lineinfile operation or maybe using shell/fetch and doing a diff with a template authorized_keys2 file?
As said the authorized_key module is a good approach.
I wouldn't use a vault because they're public keys, which are, well, public.
And from what you tell you should probably use the 'exclusive' parameter.
And finally use '--check' to only get a report on what hosts have
their authorized_keys2 file changes.
BTW the default file is authorized_keys, so you;d have to configure a
custom 'path' parameter as well.
Note that depending on your sshd configuration, people might have left
authorized_keys2 intact, and added authorized_key file.
So I think you should also take that into account, but this probably
requires some more logic.
i wasn’t searching for authorized_key module but as Dick said - check is the option i prefer.
Also thanks for the hint about authorized_keys - still found some servers where users added their key in that file.