Discussion:
[ansible-project] How to manage authorized_keys?
Eugene Knoxville
2015-07-24 11:41:25 UTC
Permalink
Hello,

I'm using authorized_keys core module for managing the same name files. So,
what I need?

I have a role, and var file with all ssh-keys. For exmpl:

user1_key: SSH PUB KEY HERE
user2_key: SSH PUB KEY HERE

I want to define which users I can put to authorized_keys. For example, I
use in a playbook:

roles:
- { role: ssh.role, ssh_user: test1, ssh_user_key: "{{ user1_key }}",
"{{ user2_key }}" }

But... I need to define a list of values, separated with a "new line".
Using line above I'm getting authorized_keys file with 2 SSH keys,
separated with comma.

In role:

- name: Manage authorized_keys
authorized_key: user="{{ ssh_user }}" key="{{ ssh_user_key }}"


Please suggest!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8822031b-52d2-4b93-b540-37edbd4cf07b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eugene Knoxville
2015-07-24 12:02:02 UTC
Permalink
Found solution in Doc:

- user: name={{ item.name }} state=present generate_ssh_key=yes
with_items: "{{users}}"

- authorized_key: "user={{ item.0.name }} key='{{ lookup('file', item.1) }}'"
with_subelements:
- users
- authorized

And somewhere define:

users:

- name: test1
authorized:
- "{{ user1_key }}"
- "{{ user2_key }}"


But, when I decide to remove user2_key, It still persists in authorized_key file! It's unacceptable!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/340284fc-afb9-4298-ae11-a3a804cee1d2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
nusenu
2015-07-26 11:09:54 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Post by Eugene Knoxville
But, when I decide to remove user2_key, It still persists in
authorized_key file! It's unacceptable!
maybe you find the
'exclusive' parameter useful?
http://docs.ansible.com/ansible/authorized_key_module.html
Post by Eugene Knoxville
Whether to remove all other non-specified keys from the
authorized_keys file. Multiple keys can be specified in a single
key string value by separating them by newlines. This option is not
loop aware, so if you use with_ , it will be exclusive per
iteration of the loop, if you want multiple keys in the file you
need to pass them all to key in a single batch as mentioned above.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVtMACAAoJEFv7XvVCELh011UP/RookFyHqk1N4qGGiQTSNmaK
7ul5NsyovbOBOk74pQgjn+CzjgHUHPQYDptznatSTTJTXaULUm7BRz74yfQplJtW
OhVVP32lbtul9FxWLPcNBscfQ3wmh0DzbI0BODMRpHdqqmw2/Kjw2eoZU2Y5Mopv
fC4gH8c76xx6IZVzcQdBvtvkOhPTHWviXHMPVp9DRSa4QByhStE01TTqxK2Iz/nX
dUMA7WNXwYCi/tLIBihdxo9sYznmSD8sdhwdyPCXDtaab6d6WEk+jj/mzZgqL3OE
QJ36+ltG8geml9+d13P3bdGH4RWbzzexftKm+iQbE6CEh2E4+4olFcbmNvislL//
CgnonTHFtxDpv8wCVRH8vKehFk+gqNWlvk7PSwfNm2wp3+joUb2FtC6sPv6YV7Zi
BRjCSnbj54prdESNo7I9TrlljVtSCNtkq3boM4h0uD4X+7g7s6Ltwuf/5pP/h0zo
WbnPjMXkDvbXT12w4DIh6jBLwd+FFEHaJk9W1d/HYuX0s/ZLTVQl7fgLY6CASOeM
OhJlBP2Nse9vGWSbuhSlpop5916Bre5UaEW/bBSrUexr0Y3dBF9Uoe90RYT2dJVv
fp2IMJla6QEgy6hmTXzpvSfs/4Omi7gfh/p92yIQF0pkg/A6BddoHGY9XtR8LJbi
GhWxfYqOVIGR5nRJV3tA
=ypo0
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55B4C002.5060300%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
Eugene Knoxville
2015-07-28 07:08:01 UTC
Permalink
Unfortunately, It's not useful for multiple keys :(

-----BEGIN PGP SIGNED MESSAGE-----
Post by nusenu
Hash: SHA512
Post by Eugene Knoxville
But, when I decide to remove user2_key, It still persists in
authorized_key file! It's unacceptable!
maybe you find the
'exclusive' parameter useful?
http://docs.ansible.com/ansible/authorized_key_module.html
Post by Eugene Knoxville
Whether to remove all other non-specified keys from the
authorized_keys file. Multiple keys can be specified in a single
key string value by separating them by newlines. This option is not
loop aware, so if you use with_ , it will be exclusive per
iteration of the loop, if you want multiple keys in the file you
need to pass them all to key in a single batch as mentioned above.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVtMACAAoJEFv7XvVCELh011UP/RookFyHqk1N4qGGiQTSNmaK
7ul5NsyovbOBOk74pQgjn+CzjgHUHPQYDptznatSTTJTXaULUm7BRz74yfQplJtW
OhVVP32lbtul9FxWLPcNBscfQ3wmh0DzbI0BODMRpHdqqmw2/Kjw2eoZU2Y5Mopv
fC4gH8c76xx6IZVzcQdBvtvkOhPTHWviXHMPVp9DRSa4QByhStE01TTqxK2Iz/nX
dUMA7WNXwYCi/tLIBihdxo9sYznmSD8sdhwdyPCXDtaab6d6WEk+jj/mzZgqL3OE
QJ36+ltG8geml9+d13P3bdGH4RWbzzexftKm+iQbE6CEh2E4+4olFcbmNvislL//
CgnonTHFtxDpv8wCVRH8vKehFk+gqNWlvk7PSwfNm2wp3+joUb2FtC6sPv6YV7Zi
BRjCSnbj54prdESNo7I9TrlljVtSCNtkq3boM4h0uD4X+7g7s6Ltwuf/5pP/h0zo
WbnPjMXkDvbXT12w4DIh6jBLwd+FFEHaJk9W1d/HYuX0s/ZLTVQl7fgLY6CASOeM
OhJlBP2Nse9vGWSbuhSlpop5916Bre5UaEW/bBSrUexr0Y3dBF9Uoe90RYT2dJVv
fp2IMJla6QEgy6hmTXzpvSfs/4Omi7gfh/p92yIQF0pkg/A6BddoHGY9XtR8LJbi
GhWxfYqOVIGR5nRJV3tA
=ypo0
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/299c08e3-8c25-4403-a0bd-0638d36bfb58%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Igor Homyakov
2015-07-28 08:28:38 UTC
Permalink
Hi Eugene,

Here is a fairly old snipped I used for such purpose. I hope you will
find it useful

it uses template to produce authorized_keys

https://gist.github.com/hostmaster/fc4bb8a2a9301bc2285f

I think it is possible to do the same with assemble module but I have not tried.

-- Best
Post by Eugene Knoxville
Unfortunately, It's not useful for multiple keys :(
Post by nusenu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Post by Eugene Knoxville
But, when I decide to remove user2_key, It still persists in
authorized_key file! It's unacceptable!
maybe you find the
'exclusive' parameter useful?
http://docs.ansible.com/ansible/authorized_key_module.html
Post by Eugene Knoxville
Whether to remove all other non-specified keys from the
authorized_keys file. Multiple keys can be specified in a single
key string value by separating them by newlines. This option is not
loop aware, so if you use with_ , it will be exclusive per
iteration of the loop, if you want multiple keys in the file you
need to pass them all to key in a single batch as mentioned above.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVtMACAAoJEFv7XvVCELh011UP/RookFyHqk1N4qGGiQTSNmaK
7ul5NsyovbOBOk74pQgjn+CzjgHUHPQYDptznatSTTJTXaULUm7BRz74yfQplJtW
OhVVP32lbtul9FxWLPcNBscfQ3wmh0DzbI0BODMRpHdqqmw2/Kjw2eoZU2Y5Mopv
fC4gH8c76xx6IZVzcQdBvtvkOhPTHWviXHMPVp9DRSa4QByhStE01TTqxK2Iz/nX
dUMA7WNXwYCi/tLIBihdxo9sYznmSD8sdhwdyPCXDtaab6d6WEk+jj/mzZgqL3OE
QJ36+ltG8geml9+d13P3bdGH4RWbzzexftKm+iQbE6CEh2E4+4olFcbmNvislL//
CgnonTHFtxDpv8wCVRH8vKehFk+gqNWlvk7PSwfNm2wp3+joUb2FtC6sPv6YV7Zi
BRjCSnbj54prdESNo7I9TrlljVtSCNtkq3boM4h0uD4X+7g7s6Ltwuf/5pP/h0zo
WbnPjMXkDvbXT12w4DIh6jBLwd+FFEHaJk9W1d/HYuX0s/ZLTVQl7fgLY6CASOeM
OhJlBP2Nse9vGWSbuhSlpop5916Bre5UaEW/bBSrUexr0Y3dBF9Uoe90RYT2dJVv
fp2IMJla6QEgy6hmTXzpvSfs/4Omi7gfh/p92yIQF0pkg/A6BddoHGY9XtR8LJbi
GhWxfYqOVIGR5nRJV3tA
=ypo0
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/299c08e3-8c25-4403-a0bd-0638d36bfb58%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAGuansrBpJxzT6ZbzpZzEKHnZJT9Vq_QRJ4-Rq0H-Q4io3ek3Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
nusenu
2015-07-28 10:06:30 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Post by Eugene Knoxville
Unfortunately, It's not useful for multiple keys
*Multiple* keys can be specified in a single key string value by
separating them by newlines.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVt1QmAAoJEFv7XvVCELh0w6oP/0CEPpYEOt64ch51Tndqei6m
hMyqJGnOLvUh+LOvEuonjY/g7cF9oSGu87ihqWt1lJX3+8cx2TuV3u9r4veZi+y/
r7pXEBqccinGnJWZal07DLONV/aojVhEz/GR7ye7jqJ/6a7FbNhu8LQcD2CyPuf+
t35U4wcZIG2wuRLeq7ICEp0gSfoLWeYWAlJKmZmMmfb4B7uHFkCnnxq/aHOXRmlU
BVHG4N5G3fM0v+eVDCNfPAM3/3v0SY0vvxX9+tpEOq96nCzHxI2nw3ifZKxjF65P
j2Eqf8IqsfGXPsp/H3/mx4499/VMuaC27IDI99GehdxgaL2+9HEH5zeVwvj1eJfj
snESHIfwY8cbJjKLJXLNxkXBpvYssOkmAIH3KepcrPoLfR0xruXG7qGhwazSBMWv
tYrLRjJ2Vczbm0BcKiMAkUo59lZyG1qwDhyoRQGcLwOWPvI6sZIcutaZae04n4mU
gibtRDMuJ8H2d17az++h8eZTt0dPgFI2vWQkWqtDRhGgv91+ehNEPJDDc/9GptS1
H6c3m36QcQB8bO7copF0EGDA1PUXFZ+xPPcA38MVH8d0Da4X9X0t4K6icOsj6Pyd
O3gHruFlnNmSYAmCoJnM+eZi3mbfL1XCo9cKQTgWq+Tq+zeZNoVzE1cklQsKaE5n
wAH7LjU93Rli2Vkdy3g6
=6VV8
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55B75426.6020609%40openmailbox.org.
For more options, visit https://groups.google.com/d/optout.
Brian Coca
2015-07-28 12:40:34 UTC
Permalink
I would just use templates
--
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJ5XC8mjc_YoT7VW5v-Xa-nP-_0Z8ZcU7HoaRKMM%3Dx-%3D8uZRJA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Mischa ter Smitten
2015-07-29 19:07:18 UTC
Permalink
Have a look at our ssh-keys role. https://github.com/Oefenweb/ansible-ssh-keys
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5c21dc63-9477-4877-8981-b4f4cef5acd4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Eugene Knoxville
2015-07-26 10:59:31 UTC
Permalink
Is there anyone who can share own experience? It's supposed to be a
widespread task!
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2d9103f6-f274-406c-aa4e-9e749cdebf46%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...