I had to replace dsa keys (which by the way are not secure and disabled by default from openssh 7.0 onwards) with rsa keys for one user with several keys in the authorized_keys file
Objective:
To create a playbook that ran task1,task2,..taskn for each user.
Solution:
Use include_tasks feature and loop the users
This is the main playbook where I define the loop and the tasks to be executed
sshd.yml
---
- name: Reorganize SSH keys
hosts: servers
tasks:
- include_tasks: "sshd_tasks.yml"
loop:
- userkey1
- userkey2
The playbook checks if userkey1 exists in authorized_keys for username1 and if that's the case, a rsa key is added by task2, which is stored on /repo/sshd/userkey1/.ssh/id_rsa.pub
The third task is to remove the old dsa key
If userkey1 doesn't exist, the second task is skipped and the third task will do nothing.
I do the same for userkey2.
If I had more userkeys to check, I would add them to the loop
sshd_tasks.yml
---
- name: Check if dsa key exists for {{ item }}
command: grep ssh-dss.*{{ item }} /etc/ssh_keys/username1/authorized_keys
register: sshkey
changed_when: "sshkey.rc == 0"
failed_when: "sshkey.rc == 2"
- name: Add rsa key for {{ item }} into authorized keys
authorized_key:
user: username1
state: present
exclusive: no
key: "{{ lookup('file', '/repo/sshd/{{ item }}/.ssh/id_rsa.pub') }}"
path: /etc/ssh_keys/username1/authorized_keys
when: "sshkey.rc == 0"
- name: Remove dsa keys for {{ item }}
lineinfile:
dest: /etc/ssh_keys/username1/authorized_keys
regexp: '^ssh-dss.*{{ item }}'
state: absent
Example:
PLAY [Reorganize SSH keys] *********************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************************
ok: [zubi]
TASK [include_tasks] ***************************************************************************************************************
included: /etc/ansible/playbooks/sshd_tasks.yml for zubi=> (item=userkey1)
included: /etc/ansible/playbooks/sshd_tasks.yml for zubi=> (item=userkey2)
TASK [Check if dsa key exists for userkey1] ****************************************************************************************
changed: [zubi]
TASK [Add rsa key for userkey1into authorized keys] *******************************************************************************
changed: [zubi]
TASK [Remove dsa keys for userkey1] ************************************************************************************************
changed: [zubi]
changed: [zubi]
TASK [Add rsa key for userkey2 into authorized keys] *******************************************************************************
changed: [zubi]
TASK [Remove dsa keys for userkey2] ************************************************************************************************
changed: [zubi]
PLAY RECAP *************************************************************************************************************************
zubi : ok=9 changed=6 unreachable=0 failed=0
No comments:
Post a Comment