1
votes

Scenario:

Based on the [clients] section of the hosts file do the following:

  1. Check if the SSH login of user "foo" fails and if yes
  2. Add SSH keys for user "foo" using authorized_key module
  3. Assuming that user "foo" already exists on remote machine and SSH public key has already been created on the local (ansible) host

I am aware of this solution using Ansible command line but I would like to be able to put this into a playbook. It's acceptable to make script interactive with user typing in password including sudo.

Right now I figured out how to do what I want using 3-rd party role GROG.authorized-key but it still requires me to run playbook with -K switch. Is there something in Ansible (beside command line switches) that would only prompt for the password if it is needed?

- hosts: clients
  vars:
    authorized_key_list:
      - name: pdo
        authorized_keys:
         - key: "{{ lookup('file', '/home/pdo/.ssh/id_rsa.pub') }}"
           state: present
  roles:
    - { role: GROG.authorized-key }
2
authorized_key does not have a password parameter. What should the password be good for? Maybe i can help you then.flxPeters
I need to prompt user for a password so "authorized_key" can do it's job. I also don't want to use ask-pass as a command line parameterBostone
Ok, so you need user or sudo priviliges? Try the become and become_user options.flxPeters
If I do "become" will it prompt me for root password? Looks like I'm stuck with command line "ask-pass" and "ask-become-pass" switches, something I would like to avoidBostone

2 Answers

1
votes

I think based on your comments this should work:

- hosts: clients
  become: true
  tasks: 
  - name: Add authorized_key to pdo user on the remote client machine(s)
    authorized_key: user=foo key="{{ lookup('file', '/home/pdo/.ssh/id_rsa.pub') }}"

Call it with -K to get the become password question. This will make a sudo command on the remote machine. Thats what you need, isn't it?

0
votes

Special kudos to GROG who helped me to understand what I was doing wrong.

Basically I was trying to do root job while running Ansible playbook as non-root user. I ended up creating the following bootstrap.yml and running it with this command:

ansible-playbook ./bootstrap.yml -u root -k

This will run my playbook as root with the root password prompt and was able to create the user and establish sudo and passwordless access

---
# file: bootstrap.yml
# Execute once as root user to create a public key and install it to your client machine(s) using the following command
# ansible-playbook ./auth-client.yml -u root -k

# This requires you to install GROG.management-user role from the Ansible Galaxy using this command:
# ansible-galaxy install GROG.management-user

# Add pdo user on remote machines
- hosts: all
  tasks:
  - name: Add remote users
    user: name=pdo group=users

# Generate SSK keys at the localhost for pde user
- hosts: localhost
  tasks:
  - name: Provision local pdo user
    user: name=pdo generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa

# Install public key into remote machine    
- hosts: all
  vars:
    authorized_key_list:
      - name: pdo
        authorized_keys:
         - key: "{{ lookup('file', '/home/pdo/.ssh/id_rsa.pub') }}"
           state: present
  roles:
    - { role: GROG.authorized-key }

# Add sudo privileges for pdo user
- hosts: all
  roles:
  - { role: GROG.sudo, become: yes }