Ansible communicates with remote machines over SSH. In this tutorial we going to create a playbook where we will create a user for the key-based authentication and copy the public key to the remote hosts.
If you don’t install yet Ansible you can take a look to my first tutorial about how install Ansible devops on Centos 7 /RHEL 7: Getting Started With Ansible
Create the Ansible playbook
Assuming that we have generated an SSH key pair on the ansible management server for the account user ansadm, In this playbook we will create on the remote hosts a never expire user account named ” ansadm” and we will add it to sudoers, and we will copy the public key to home directory of the user ansadm.
[root@ansible ~]# su – ansadm [ansadm@ansible ~]# vi add-ssh-user.yml
--- - hosts: all vars: - ansadm_password: 'YOUR_HASHED_PASSWORD' gather_facts: no remote_user: root tasks: - name: 1. Add user ANSADM user: name=ansadm password={{ ansadm_password }} - name: 2. Change Expire Password Account to never command: chage -E -1 ansadm - name: 3. Add remote user to sudoers lineinfile: "dest=/etc/sudoers regexp='^remote ALL' line='ansadm ALL=(ALL) NOPASSWD: ALL' state=present" - name: 4. install ssh key authorized_key: user=ansadm key="{{ lookup('file', '/home/ansadm/.ssh/id_rsa.pub') }}" state=present
Create the inventory file
In the inventory file we will add the remote hosts to be managed by Ansible
[ansadm@ansible ~]# vi inventory.ini
[webservers] web01 web02 web03 web04 web05 [dbservers] db01 db02 db03
Run the playbook
[ansadm@ansible ~]# ansible-playbook -i inventory.ini add-ssh-user.yml --ask-pass
Note here, that Ansible will prompt you for the root password of your remote hosts
To download the source code you can visit this link github add ssh user
5 comments
what is ‘YOUR_HASHED_PASSWORD’ and how did you generate this Hash Password?
Also can you please explain how did you generate SSH key pair on the ansible management server?
Thanks in advance!
Hi Suresh, thx for Commenting, regarding the ssh key pair you can take a look to this article at the fifth step will help you to create the ssh pair http://yallalabs.com/linux/getting-started-with-ansible/ .
You can generate a hashed password for /etc/shadow file using:
1- Python : python -c ‘import crypt,getpass; print crypt.crypt(getpass.getpass(), “$6$YOURSALT”)’
python3 -c ‘import crypt; print(crypt.crypt(“YourPass”, crypt.mksalt(crypt.METHOD_SHA512)))’
– Perl : perl -e ‘print crypt(“YourPass”,”\$6\$YOURSALT\$”) . “\n”‘
– Mkpasswd command : mkpasswd -m sha-512 -S YOURSALT -s <<< YourPass - Doveadm utility from Dovecot : doveadm pw -s SHA512-CRYPT
Hello Lotfi,
Could you please let me know what is missing in my code?
Requirement: Need to add multiple users and their associated keys in different files on destination servers.
—
– hosts: lb:app2
tasks:
– name: Add list of users
# tags: system-user
user:
name: “{{ item.name }}”
uid: “{{ item.uid }}”
groups: “{{ item.groups }}”
comment: “{{ item.comment }}”
password: ” {{ item.password }}”
createhome: yes
state: present
with_items:
– { name: testuser1, uid: 1002, groups: “wheel, automate”, comment: “{{ ‘Test Admin ID’ }}”, password: “{{ ‘$6$wsix5/A0$Qs46riLAIqJfolLAzqrMc8ZVVN8tBSZWaoDKco9gnqQJJqvf1hA3K9HHM8HtJXzcpA/ZnvagCPmiXsxl4ifzn.’ }}” }
– { name: testuser2, uid: 1003, groups: “automate”, comment: “{{ ‘Test2 Admin ID’ }}”, password: “{{ ‘$6$gs3s6NUC$EwG7Lys4yxSLW8d1bceC1y4JH/ag0wmJt/AKnMg2DNHTy/HMfMYJV06SUyD89ZNioh2IfVmC14bbqFWWpfC9E/’ }}” }
– name: Add .ssh directories
file:
name: “{{ item.name }}”
path: “/home/{{ item.name}}/.ssh”
state: directory
mode: 0700
owner: “{{ item.name }}”
group: “{{ item.group|default(item.name) }}”
with_items:
– { name: testuser1, path: “{{ item.name }}” }
===================================================================================================================
It does create a user but doesn’t create .ssh directory & I’m unable to push authorized_keys & authorize_keys2 files to different locations.
Thanks!
Hi,
Did you created the users accounts and
generated an SSH key pair all for the account users on the ansible management server. After that you add something like this to copy the ssh keys on the remote servers
– name: install ssh key authorized_key: user=ansadm key=”{{ lookup(‘file’, ‘/home/” {{item.name}} “/.ssh/id_rsa.pub’) }}” state=present
Yes, the user accounts were created in the first task but I have the keys for them at different location, please check this code, it works and created .ssh directory but I could not create using with_items, I would like to simplify the code and not add too many lines unless required.
– hosts: lb:app2
gather_facts: yes
connection: ssh
tasks:
– name: Ensure “adsm” group exists
group:
name: adsm
state: present
– name: Add list of users
# tags: system-user
user:
name: “{{ item.name }}”
uid: “{{ item.uid }}”
groups: “{{ item.groups }}”
comment: “{{ item.comment }}”
password: ” {{ item.password }}”
createhome: yes
state: present
with_items:
– { name: testuser1, uid: 1002, groups: “wheel, automate”, comment: “{{ ‘Test Admin ID’ }}”, password: “{{ ‘$6$wsix5/A0$Qs46riLAIqJfolLAzqrMc8ZVVN8tBSZWaoDKco9gnqQJJqvf1hA3K9HHM8HtJXzcpA/ZnvagCPmiXsxl4ifzn.’ }}” }
– { name: testuser2, uid: 1003, groups: “automate”, comment: “{{ ‘Test2 Admin ID’ }}”, password: “{{ ‘$6$gs3s6NUC$EwG7Lys4yxSLW8d1bceC1y4JH/ag0wmJt/AKnMg2DNHTy/HMfMYJV06SUyD89ZNioh2IfVmC14bbqFWWpfC9E/’ }}” }
– { name: adsm, uid: 503, groups: “adsm”, comment: “{{ ‘ADSM Admin ID’ }}”, password: “{{ ‘$6$wsix5/A0$Qs46riLAIqJfolLAzqrMc8ZVVN8tBSZWaoDKco9gnqQJJqvf1hA3K9HHM8HtJXzcpA/ZnvagCPmiXsxl4ifzn.’ }}” }
# notify: users created
– name: Add .ssh directory for adsm
file:
# name: “{{ item.name }}”
path: /home/adsm/.ssh
state: directory
mode: 0700
owner: adsm
group: adsm
– name: Push ssh keys for adsm user
register: result
template:
src: /tmp/adsm.pub
dest: /home/adsm/.ssh/authorized_keys2
mode: 0600
owner: adsm
group: adsm
– name: Add .ssh directories
file:
# name: “{{ item.name }}”
path: /home/testuser1/.ssh
state: directory
mode: 0700
owner: testuser1
group: testuser1
– name: Push ssh keys for relevant users
register: result
template:
src: /tmp/adsm.pub
dest: /home/testuser1/.ssh/authorized_keys2
mode: 0600
owner: testuser1
group: testuser1