calidaedev.authorized_keys

Panoramica Versioni Approfondimenti

Authorized Keys

=========

This section explains how to manage SSH authorized keys using the authorized_key Ansible module.

Role Variables

Default Variables:

authorized_keys_present: {root: []}
authorized_keys_banned: []
authorized_keys_exclusive: {}

  • authorized_keys_present: This variable defines which SSH keys are authorized for each user on all hosts. By default, it includes the root user without any keys.

  • authorized_keys_banned: Use this variable to delete certain authorized keys for any user listed in authorized_keys_present. This is helpful for removing keys that have been compromised or are no longer valid. By default, it will remove keys listed here for the root user.

  • authorized_keys_exclusive: This offers detailed control. It installs specified keys and removes any extra keys found on the server, ensuring consistent access control. If this list is empty, it will not remove any keys for that user to prevent loss of SSH access.

Example Playbook

Basic Example:

# example.yml

- hosts: web_servers
  roles:
    - calidae.authorized_keys
  vars:
    authorized_keys_present:
      root:
        - '{{ lookup("file", "public_keys/alice") }}'
      ubuntu:
        - '{{ lookup("file", "public_keys/alice") }}'
        - '{{ lookup("file", "public_keys/beth") }}'
    authorized_keys_banned:
      - '{{ lookup("file", "public_keys/alice_old") }}'
      - '{{ lookup("file", "public_keys/claire") }}'
      - 'ssh-rsa AAAAB3Nza..(some bytes eluded)..bCRkh7ReBbpx daisy@office'

- hosts: db_servers
  roles:
    - calidae.authorized_keys
  vars:
    authorized_keys_exclusive:
      root:
        - '{{ lookup("file", "public_keys/alice") }}'
        - '{{ lookup("file", "public_keys/emilie") }}'
      ubuntu: [] # This means no changes to keys for the ubuntu user!

Run the playbook with:

ansible-playbook example.yml --diff --check

Advanced Example:

Store your public keys in a specific folder of a custom role that uses calidae.authorized_keys. Set authorized_keys_banned as a role variable (not default) to avoid accidental changes. Choose between authorized_keys_present or authorized_keys_exclusive to manage keys based on your requirements for each host.

# roles/myorg.authorized_keys/meta/main.yml
dependencies:
  - calidae.authorized_keys

# roles/myorg.authorized_keys/vars/main.yml
alice: '{{ lookup("file", "public_keys/alice") }}'
beth: '{{ lookup("file", "public_keys/beth") }}'
claire: '{{ lookup("file", "public_keys/claire") }}'
daisy: 'ssh-rsa AAAAB3Nza..(some bytes eluded)..bCRkh7ReBbpx daisy@office'
emilie: '{{ lookup("file", "public_keys/emilie") }}'
authorized_keys_banned:
  - '{{ daisy }}'

# group_vars/web_servers.yml
authorized_keys_present:
  root:
    - '{{ alice }}'
  ubuntu:
    - '{{ beth }}'
    - '{{ claire }}'

# group_vars/sftp.yml
authorized_keys_present:
  root:
    - '{{ alice }}'
    - '{{ emilie }}'
  customer:
    - 'ssh-rsa AAAAB3Nza..(some bytes eluded)..t1F0Q5Y2AN customer@somesystem'

# group_vars/db_servers.yml
authorized_keys_exclusive:
  root:
    - '{{ alice }}'

# plays/site.yml
- hosts: all
  roles:
    - myorg.authorized_keys

Run the playbook with:

ansible-playbook plays/site.yml

License

BSD

Author Information

Calidae https://www.calidae.com

Informazioni sul progetto

Manage ssh authorized keys

role authorizedkey authorizedkeys security ssh sshd
Installa
ansible-galaxy install calidaedev.authorized_keys
GitHub repository
1 stelle
0 fork
0 problemi aperti
Licenza
Unknown
Download
9.4k
Proprietario
Calidae
Calidae Digital Craftsmanship