znerol.ssh_kba
Role Name
This role sets up SSH public key authentication for communication between machines.
Requirements
You need to have OpenSSH server and client software installed.
Role Variables
This role is used on either an SSH client or an SSH server. You can specify the other side by using ssh_kba_server_hostname for the server and ssh_kba_client_hostname for the client. It’s also a good idea to specify ssh_kba_server_user and ssh_kba_client_user instead of using default values.
Note: SSH host keys are gathered from Ansible facts, so make sure to collect them from all machines first.
Variables for the Server
Define the host and user for the server where SSH connection will be authenticated:
ssh_kba_server_hostname: "{{ inventory_hostname }}"
ssh_kba_server_user: # Ansible user on the server as per facts.
Variables for the Client
ssh_kba_client_hostname: "{{ inventory_hostname }}"
ssh_kba_client_user: # Ansible user on the client as per facts.
ssh_kba_client_host_fqdn: # Fully Qualified Domain Name of the server as per facts.
ssh_kba_client_host_ip4: # IPv4 address of the server as per facts.
ssh_kba_client_host_ip6: # IPv6 address of the server as per facts.
Variables for the Key Pair
ssh_kba_keypair_type: rsa # Choose from dsa, ecdsa, ed25519, rsa
ssh_kba_keypair_size: # Omit by default
ssh_kba_keypair_comment: "{{ ssh_kba_client_user }}@{{ ssh_kba_client_hostname }}"
ssh_kba_keypair_dir: ~/.ssh
ssh_kba_keypair_name: "id_{{ ssh_kba_keypair_type }}"
ssh_kba_keypair_path: "{{ ssh_kba_keypair_dir }}/{{ ssh_kba_keypair_name }}"
ssh_kba_keypair_owner: "{{ ssh_kba_client_user }}"
ssh_kba_keypair_group: # Omit by default
ssh_kba_keypair_attributes: # Omit by default
ssh_kba_keypair_selevel: # Omit by default
ssh_kba_keypair_serole: # Omit by default
ssh_kba_keypair_setype: # Omit by default
ssh_kba_keypair_seuser: # Omit by default
If ssh_kba_keypair_force is set to yes, the keypair will be recreated.
ssh_kba_keypair_force: # Omit by default
The variable ssh_kba_keypair_pub will be set to the public key part during execution.
Variables for the Server's Authorized Keys File
ssh_kba_keypair_pub: # See key pair section above
ssh_kba_server_authorized_keys_owner: "{{ ssh_kba_server_user }}"
ssh_kba_server_authorized_keys_comment: # Omit by default
ssh_kba_server_authorized_keys_exclusive: # Omit by default
ssh_kba_server_authorized_keys_key_options: # Omit by default
ssh_kba_server_authorized_keys_manage_dir: # Omit by default
ssh_kba_server_authorized_keys_path: # Omit by default
Variables for the Client's Known Hosts File
ssh_kba_client_known_hosts_owner: "{{ ssh_kba_client_user }}"
ssh_kba_client_known_hosts_hash_host | default(omit) }}"
ssh_kba_client_known_hosts_path | default(omit) }}"
Facts about the server's FQDN, IPs, and host keys are gathered to include them in the client's known_hosts. You can change this behavior by overriding these variables:
ssh_kba_server_host_fqdn: # FQDN of the server as per facts.
ssh_kba_server_host_ip4: # IPv4 address of the server as per facts.
ssh_kba_server_host_ip6: # IPv6 address of the server as per facts.
ssh_kba_server_host_names: # A list of FQDN and IP addresses.
ssh_kba_server_host_keys: # A list of key pairs (key type and actual host key).
These variables will be used to create a list of host names and keys:
ssh_kba_server_host_names_and_keys: # A list of pairs with each consisting of
hostname (or IP) and corresponding host key.
Dependencies
None.
Example Playbook
- hosts: server.example.com
tasks:
- name: Gather client facts
delegate: client.example.com
delegate_facts: yes
setup:
- name: Key based authentication granted to [email protected] on [email protected]
vars:
ssh_kba_server_user: alpha
ssh_kba_client_hostname: client.example.com
ssh_kba_client_user: beta
import_role:
name: znerol.ssh_kba
License
BSD