Automating SSH keys with Ansible

I was working with a co-worker to get his SSH key distributed to a large number of systems so we could start managing them with Ansible. For security and logging purposes, we login to the systems with our personal “elevated” account (different from our workstation account), and the elevated accounts are permitted to run “sudo” so their Ansible playbooks can make changes to the system.

Today we were fighting with getting the SSH key generated and distributed to all the systems. I’ve been working in Unix and using SSH for over 20 years, but today we kept making simple typos that kept the keys from working for us. Some of the issues were human error and typos on the command line, others were more subtle involving permissions issues on the files. To help remove this human error, I wrote a two-step playbook to generate an ssh keypair (if they don’t exist), then login to a set of systems and setup that key to permit password-less logins.

Here’s the playbook – named “copykeys.yml” – built to automate the distribution of SSH keys across your environment:

 #!/usr/bin/env ansible-playbook
 ---
 - name: "Create and upload SSH keys"
   hosts: all
   gather_facts: false

   tasks:
   - name: "Ensure ssh key exists"
     openssh_keypair:
       path: "{{ lookup('env','HOME') + '/.ssh/id_ed25519' }}"
       type: ed25519
     delegate_to: localhost
     run_once: true

   - name: "Copy user ssh keys"
     authorized_key:
       user: "{{ lookup('env', 'USER') }}"
       state: present
       key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_ed25519.pub') }}" 

This playbook first creates an “ed25519” SSH key if it does not exist on the machine the script is run on (the “delegate_to” argument), and once the SSH key is created the public key is distributed to each of the systems the playbook runs against.

To use this, simply call the playbook with either an inventory file (‘-i inventory.ini’) or with a command-line inventory list (‘-i server1,server2,server3’). Here is the command to run:

ansible-playbook copykeys.yml --ask-pass -i server1,server2,server3 

Assuming your username and password are accepted by all the servers in the inventory, the public portion of your SSH key will be installed on each of the machines.

You can then test this by performing an Ansible “ping” to validate communication works without the “–ask-pass” option:

ansible all -m ping -i server1,server2,server3

The nice thing about Ansible is that it is easy to debug if you break down the communications and realize that all communications between nodes is using basic SSH. If you’re having communication problems, a simple “ssh servername” from the server you’re running Ansible from will often show if the error is communications based.

If this does not work, review the output that Ansible provides (you might have to add “-vvv” to increase the verbosity level for debugging). In nearly all cases the errors are common SSH error messages, not Ansible error messages. Any modern Unix administrator has probably encountered these errors before and is aware of what the underlying issue is that is breaking the SSH connectivity.

Dual use laptop…

Tails – The Amnesic Incognito Live System – is a live operating system that you can start on almost any computer from a USB stick or a DVD. Website: https://tails.boum.org/

A couple years ago my personal laptop was dying, so when I got to work early and sat at the local coffee shop I tried to use my companies laptop. Unfortunately, some of the sites I liked to read were considered “hacker” sites and my companies software blocked that. I had use bootable USB drives running various versions of Linux, but many of them would automatically try to use the local drive and possibly write data to the hard drive. I then came across Tails.

What got me interested in Tails was the fact that it fit on a small USB drive, and everything that you saved to that drive (and only that drive) was encrypted automatically. The Internet communications was also equally encrypted; it uses the TOR network (https://www.torproject.org/) along with a TOR-enabled Firefox browser to hide the traffic from prying eyes on the local network. With all this together, I could install Tails to a small (8GB or 16GB USB stick) and boot my companies laptop from there and not worry about my personal data being saved, or from my company laptop snooping on my private emails and communications.

The Tails system will let you connect to your coffee shop WiFi, but it won’t let you start browsing the web (or logging into your bank or email site) until it has fully connected into the TOR network. The TOR network encrypts all your communications through multiple computers on the Internet – many times the last computer (the “exit node”) is in a different country. (This makes for a wild multi-lingual experience trying to navigate a popular site if they attempt to use your “local” language.)

With Tails I could now use my work laptop but boot into Tails and securely take care of personal tasks (banking, email, medical, etc) without worrying about my companies computer or their filters blocking or breaking some of these sites.

Give Tails a shot if you want to have a simple to use and very secure web browsing experience that won’t mess with your regularly installed operating system.