Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/znerol/ansible-role-ssh-kba

Setup SSH public key authentication for machine to machine communication.
https://github.com/znerol/ansible-role-ssh-kba

Last synced: 25 days ago
JSON representation

Setup SSH public key authentication for machine to machine communication.

Awesome Lists containing this project

README 

        
Role Name

=========



[![Build Status](https://travis-ci.org/znerol/ansible-role-ssh-kba.svg?branch=master)](https://travis-ci.org/znerol/ansible-role-ssh-kba)



Setup SSH public key authentication for machine to machine communication.



Requirements

------------



OpenSSH server and client software present.



Role Variables

--------------



In a typical setup this role is applied either to an SSH client or an SSH

server.  Tasks for the other side can be delegated by setting

`ssh_kba_server_hostname` and `ssh_kba_client_hostname` respectively. Also in

most cases it is recommended to specify `ssh_kba_server_user` and

`ssh_kba_client_user` explicitely instead of relying on the defaults.



Note: SSH host keys are collected from ansible facts. Thus it is important that

they are gathered beforehand for all involved machines.



### Variables affecting the server



Host and user representing the server side enpoint of the public key

authenticated ssh connection:



```

ssh_kba_server_hostname: "{{ inventory_hostname }}"

ssh_kba_server_user: # Ansible user on the server according to facts.

```



### Variables affecting the client



```

ssh_kba_client_hostname: "{{ inventory_hostname }}"

ssh_kba_client_user: # Ansible user on the server according to facts.

```



```

ssh_kba_client_host_fqdn: # FQDN of the server according to facts.

ssh_kba_client_host_ip4: # Default IP address of the server according to facts.

ssh_kba_client_host_ip6: # Default IP address of the server according to facts.



```



### Variables affecting the keypair



```

ssh_kba_keypair_type: rsa # One of dsa, ecdsa, ed25519, rsa

ssh_kba_keypair_size: # Omit by default

ssh_kba_keypair_comment: "{{ ssh_kba_client_user }}@{{ ssh_kba_client_hostname }}"

ssh_kba_keypair_dir: ~/.ssh

ssh_kba_keypair_name: "id_{{ ssh_kba_keypair_type }}"

ssh_kba_keypair_path: "{{ ssh_kba_keypair_dir }}/{{ ssh_kba_keypair_name }}"

ssh_kba_keypair_owner: "{{ ssh_kba_client_user }}"

ssh_kba_keypair_group: # Omit by default

ssh_kba_keypair_attributes: # Omit by default

ssh_kba_keypair_selevel: # Omit by default

ssh_kba_keypair_serole: # Omit by default

ssh_kba_keypair_setype: # Omit by default

ssh_kba_keypair_seuser: # Omit by default

```



The keypair will be regenerated if `ssh_kba_keypair_force` is set to `yes`.



```

ssh_kba_keypair_force: # Omit by default

```



The fact `ssh_kba_keypair_pub` is set to the public part of the keypair during

role evaluation.



### Variables affecting the servers authorized keys file



```

ssh_kba_keypair_pub: # see keypair section above

ssh_kba_server_authorized_keys_owner: "{{ ssh_kba_server_user }}"

ssh_kba_server_authorized_keys_comment: # Omit by default

ssh_kba_server_authorized_keys_exclusive: # Omit by default

ssh_kba_server_authorized_keys_key_options: # Omit by default

ssh_kba_server_authorized_keys_manage_dir: # Omit by default

ssh_kba_server_authorized_keys_path: # Omit by default

```



### Variables affecting the clients known hosts file



```

ssh_kba_client_known_hosts_owner: "{{ ssh_kba_client_user }}"

ssh_kba_client_known_hosts_hash_host | default(omit) }}"

ssh_kba_client_known_hosts_path | default(omit) }}"

```



Server FQDN, IPs and host key facts are collected in order to make them

available in the clients `known_hosts`. Overriding any of the following

variables will modify this behavior:



```

ssh_kba_server_host_fqdn: # FQDN of the server according to facts.

ssh_kba_server_host_ip4: # Default IP address of the server according to facts.

ssh_kba_server_host_ip6: # Default IP address of the server according to facts.

ssh_kba_server_host_names: # A list consisting of FQDN and default IP addresses.

ssh_kba_server_host_keys: # A list of pairs, each one consisting of the key

    type (first field) and the actual host key (second field). Defaults to

    values available from host facts.

```



The afforementioned variables will be used to populate a variable with a list

of host names and keys:



```

ssh_kba_server_host_names_and_keys: # A list of pairs, each one consisting of a

    hostname (or ip address) and a corresponding host key (in the form which is

    accepted by the known_hosts module)

```



Dependencies

------------



None.



Example Playbook

----------------



    - hosts: server.example.com

      tasks:

        - name: Gather client facts

          delegate: client.example.com

          delegate_facts: yes

          setup:



        - name: >-

            Key based authentication granted to [email protected] on

            [email protected]

          vars:

            ssh_kba_server_user: alpha

            ssh_kba_client_hostname: client.example.com

            ssh_kba_client_user: beta

          import_role:

            name: znerol.ssh_kba



License

-------



BSD