Páginas

Saturday, 23 March 2019

Playbook to replace ssh keys using a loop

Task:

 I had to replace dsa keys (which by the way are not secure and disabled by default from openssh 7.0 onwards)  with rsa keys for one user with several keys in the authorized_keys file

Objective:
To create a playbook that ran task1,task2,..taskn for each user.

Solution:
Use include_tasks feature and loop the users


This is the main playbook where I define the loop and the tasks to be executed

sshd.yml
---
- name: Reorganize SSH keys
  hosts: servers
  tasks:

   - include_tasks: "sshd_tasks.yml"
     loop:
       - userkey1
       - userkey2


The playbook checks if userkey1 exists in authorized_keys for username1 and if that's the case, a rsa key is added by task2, which is stored on /repo/sshd/userkey1/.ssh/id_rsa.pub
The third task is to remove the old dsa key

If userkey1 doesn't exist, the second task is skipped and the third task will do nothing.
I do the same for userkey2.

If I had more userkeys to check, I would add them to the loop


sshd_tasks.yml
---
  - name: Check if dsa key exists for {{ item }}
    command: grep ssh-dss.*{{ item }} /etc/ssh_keys/username1/authorized_keys
    register: sshkey
    changed_when: "sshkey.rc == 0"
    failed_when: "sshkey.rc == 2"

  - name: Add rsa key for {{ item }} into authorized keys
    authorized_key:
     user: username1
     state: present
     exclusive: no
     key: "{{ lookup('file', '/repo/sshd/{{ item }}/.ssh/id_rsa.pub') }}"
     path: /etc/ssh_keys/username1/authorized_keys
    when: "sshkey.rc == 0"

  - name: Remove dsa keys for {{ item }}
    lineinfile:
     dest: /etc/ssh_keys/username1/authorized_keys
     regexp: '^ssh-dss.*{{ item }}'
     state: absent



Example:

PLAY [Reorganize SSH keys] *********************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************
ok: [zubi]

TASK [include_tasks] ***************************************************************************************************************
included: /etc/ansible/playbooks/sshd_tasks.yml for zubi=> (item=userkey1)
included: /etc/ansible/playbooks/sshd_tasks.yml for zubi=> (item=userkey2)

TASK [Check if dsa key exists for userkey1] ****************************************************************************************
changed: [zubi]

TASK [Add rsa key for userkey1into authorized keys] *******************************************************************************
changed: [zubi]

TASK [Remove dsa keys for userkey1] ************************************************************************************************
changed: [zubi]

TASK [Check if dsa key exists for userkey2] ****************************************************************************************
changed: [zubi]

TASK [Add rsa key for userkey2 into authorized keys] *******************************************************************************
changed: [zubi]

TASK [Remove dsa keys for userkey2] ************************************************************************************************
changed: [zubi]

PLAY RECAP *************************************************************************************************************************
zubi                   : ok=9    changed=6    unreachable=0    failed=0


Posted by at No comments:
Labels: , ,

Saturday, 16 March 2019

Changing standard output on ansible

If you need to show the output of a command from a playbook  and you want to get it in a more human readable format, you can do it modifying your config file.
Add the following option to your configuration file /etc/ansible/ansible.cfg

stdout_callback = debug
If we try with a simple playbook

- name: show df output
   command: df -h
   register: df

 - debug:
     msg: "{{ df.stdout }}"


 Before

 ASK [debug] ****************************************************************************************************************************
ok: [zubi] => {
    "msg": "Filesystem      Size  Used Avail Use% Mounted on\ndevtmpfs        476M     0  476M   0% /dev\ntmpfs           493M     0  493M   0% /dev/shm\ntmpfs           493M  448K  493M   1% /run\ntmpfs           493M     0  493M   0% /sys/fs/cgroup\n/dev/xvda1      8.0G  1.2G  6.9G  15% /\ntmpfs            99M     0   99M   0% /run/user/1000"

}



After

TASK [debug] ****************************************************************************************************************************
ok: [zubi] => {}

MSG:

Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        476M     0  476M   0% /dev
tmpfs           493M     0  493M   0% /dev/shm
tmpfs           493M  448K  493M   1% /run
tmpfs           493M     0  493M   0% /sys/fs/cgroup
/dev/xvda1      8.0G  1.2G  6.9G  15% /
tmpfs            99M     0   99M   0% /run/user/1000

Posted by at No comments:
Labels: ,

Sunday, 10 March 2019

Changing system hostname on AWS

When you log into an instance for the firs time, you'll see that it is automatically  created with a horrendous hostname based on your ip and so on.

 I consider it handy to set a new name for your computer. You can follow this easy steps if you don't have a public DNS domain name.

 Check your OS with this command

 cat /etc/system-release
Amazon Linux release 2 (Karoo)

Step 1

For Amazon Linux 2: Use the hostnamectl command
sudo hostnamectl set-hostname "servername.localdomain"

For Amazon Linux AMI: Open /etc/sysconfig/network and set
HOSTNAME=servername.localdomain

 Step 2
Open the /etc/hosts file and change the entry beginning with 127.0.0.1 to look like this
127.0.0.1 servername.localdomain servername localhost4 localhost4.localdomain4

 Step 3
Reboot the instance


If you do not want to modify the hostname for your instance, but you would like to have a more useful system name when you log into your instance follow the next steps

Step 1
Create a file in /etc/profile.d that sets the environment variable called NICKNAME

sudo sh -c 'echo "export NICKNAME=servername" > /etc/profile.d/prompt.sh'

Step 2
Open /etc/bashrc (RedHat/Amazon) or /etc/bash.bashrc (Debian/Ubuntu)
and edit the file with sudo 
sudo vi /etc/bashrc

and look for the line that starts with [ "$PS1")

[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@\h \W]\\$ "

replace it with

[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\u@$NICKNAME \W]\\$ "

Step 3
Log out and then log back in
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)