Role Name

Setup SSH public key authentication for machine to machine communication.

Requirements

OpenSSH server and client software present.

Role Variables

In a typical setup this role is applied either to an SSH client or an SSH server. Tasks for the other side can be delegated by setting ssh_kba_server_hostname and ssh_kba_client_hostname respectively. Also in most cases it is recommended to specify ssh_kba_server_user and ssh_kba_client_user explicitely instead of relying on the defaults.

Note: SSH host keys are collected from ansible facts. Thus it is important that they are gathered beforehand for all involved machines.

Variables affecting the server

Host and user representing the server side enpoint of the public key authenticated ssh connection:

ssh_kba_server_hostname: "{{ inventory_hostname }}"
ssh_kba_server_user: # Ansible user on the server according to facts.

Variables affecting the client

ssh_kba_client_hostname: "{{ inventory_hostname }}"
ssh_kba_client_user: # Ansible user on the server according to facts.

ssh_kba_client_host_fqdn: # FQDN of the server according to facts.
ssh_kba_client_host_ip4: # Default IP address of the server according to facts.
ssh_kba_client_host_ip6: # Default IP address of the server according to facts.

Variables affecting the keypair

ssh_kba_keypair_type: rsa # One of dsa, ecdsa, ed25519, rsa
ssh_kba_keypair_size: # Omit by default
ssh_kba_keypair_comment: "{{ ssh_kba_client_user }}@{{ ssh_kba_client_hostname }}"
ssh_kba_keypair_dir: ~/.ssh
ssh_kba_keypair_name: "id_{{ ssh_kba_keypair_type }}"
ssh_kba_keypair_path: "{{ ssh_kba_keypair_dir }}/{{ ssh_kba_keypair_name }}"
ssh_kba_keypair_owner: "{{ ssh_kba_client_user }}"
ssh_kba_keypair_group: # Omit by default
ssh_kba_keypair_attributes: # Omit by default
ssh_kba_keypair_selevel: # Omit by default
ssh_kba_keypair_serole: # Omit by default
ssh_kba_keypair_setype: # Omit by default
ssh_kba_keypair_seuser: # Omit by default

The keypair will be regenerated if ssh_kba_keypair_force is set to yes.

ssh_kba_keypair_force: # Omit by default

The fact ssh_kba_keypair_pub is set to the public part of the keypair during role evaluation.

Variables affecting the servers authorized keys file

ssh_kba_keypair_pub: # see keypair section above
ssh_kba_server_authorized_keys_owner: "{{ ssh_kba_server_user }}"
ssh_kba_server_authorized_keys_comment: # Omit by default
ssh_kba_server_authorized_keys_exclusive: # Omit by default
ssh_kba_server_authorized_keys_key_options: # Omit by default
ssh_kba_server_authorized_keys_manage_dir: # Omit by default
ssh_kba_server_authorized_keys_path: # Omit by default

Variables affecting the clients known hosts file

ssh_kba_client_known_hosts_owner: "{{ ssh_kba_client_user }}"
ssh_kba_client_known_hosts_hash_host | default(omit) }}"
ssh_kba_client_known_hosts_path | default(omit) }}"

Server FQDN, IPs and host key facts are collected in order to make them available in the clients known_hosts. Overriding any of the following variables will modify this behavior:

ssh_kba_server_host_fqdn: # FQDN of the server according to facts.
ssh_kba_server_host_ip4: # Default IP address of the server according to facts.
ssh_kba_server_host_ip6: # Default IP address of the server according to facts.
ssh_kba_server_host_names: # A list consisting of FQDN and default IP addresses.
ssh_kba_server_host_keys: # A list of pairs, each one consisting of the key
    type (first field) and the actual host key (second field). Defaults to
    values available from host facts.

The afforementioned variables will be used to populate a variable with a list of host names and keys:

ssh_kba_server_host_names_and_keys: # A list of pairs, each one consisting of a
    hostname (or ip address) and a corresponding host key (in the form which is
    accepted by the known_hosts module)

Dependencies

None.

Example Playbook

- hosts: server.example.com
  tasks:
    - name: Gather client facts
      delegate: client.example.com
      delegate_facts: yes
      setup:

    - name: >-
        Key based authentication granted to [email protected] on
        [email protected]
      vars:
        ssh_kba_server_user: alpha
        ssh_kba_client_hostname: client.example.com
        ssh_kba_client_user: beta
      import_role:
        name: znerol.ssh_kba

License

BSD