Post
Ask Question

Getting Started With Ansible - Part Six

This is in continuation of the articles of the series “Learning Ansible”. In our previous articles, we have learned a lot about Ansible and I hope you want to learn even more.
 
So, in this article, we will be covering the below topics,
  • Remove password-based authentication and enable key-based authentication 
  • Remove host IP addresses from inventory file 
  • Using Ansible SSH private key variable

Remove password-based authentication and enable key-based authentication

 
There are various steps involved if we want to change the authentication to key-based. So, first, log in to the Ansible machine. There, we have created a task folder and copied all our existing files into that.
 
Let’s see the steps one by one.
 
Step 1 - Create a key
 
So, we can see from our current inventory file that the password written for the user is in cleartext format and it is a security risk.
 
Ansible
 
Now, the time has come when we have to change it and we will change it with key login.
 
In Linux, we can generate the key with the below command.
  1. ssh-keygen  
By default, this key will be stored in the user’s home directory, but we can also specify the different path as well. 
 
Ansible
 
We can see that the key has been generated.
 
Step 2 - Copy key to all servers
 
We can see that public and private key are stored in the location as seen in the above screenshot. This can be seen with the below command.
  1. ls ~/.ssh/                       
OUTPUT
 
Ansible
 
Once the key is generated we have to push it to the target machine. Now we have to push the public key to all the instances. As we can see our public is key id_rsa.pub, so next copy this public key to all our web and database servers with the below command.
  1. ssh-copy-id devops@hostIPAddress  
hostIPAddress will be replaced by the IP address of the web and DB servers.
 
OUTPUT
 
Ansible
 
Clearly, the key has been copied successfully. We will do the same step for the remaining 2 web servers and 1 database server.
 
Note
SSH command will by default first try to login with key and if the key is not found, then it will ask for the password.
 
Once we have pushed the key then we will disable the password authentication through SSHD config and restart the SSHD service (We have seen already how it can be done in my previous articles).
 
Step 3 - Remove password from the inventory file
 
Now our updated inventory file will look like below.
  1. websrv01 ansible_host = 172.31 .2 .94  
  2. websrv02 ansible_host = 172.31 .12 .107  
  3. websrv03 ansible_host = 172.31 .15 .24  
  4. dbsrv01 ansible_host = 172.31 .0 .249[WebServersGroup]  
  5. websrv01  
  6. websrv02  
  7. websrv03[DBServerGroup]  
  8. dbsrv01[DataCenter_Ncali: children]  
  9. WebServersGroup  
  10. DBServerGroup[DataCenter_Ncali: vars] ansible_user = devops  
That’s how we can convert the password-based authentication to the key based authentication which is a more secure way of connecting to the target machines.
 

Remove host IP addresses from inventory file

 
In the inventory file shown above, we can see the IP addresses of all our target hosts. Now it's time to remove the IP addresses and move them to a separate location.
 
For this, we are going to open the host file with the below command.
  1. sudo vim /etc/hosts  
And, we will put the IP address of all machines with their names.
 
Ansible
 
Now, our updated inventory file will be like below.
  1. websrv01  
  2. websrv02  
  3. websrv03  
  4. dbsrv01[WebServersGroup]  
  5. websrv01  
  6. websrv02  
  7. websrv03[DBServerGroup]  
  8. dbsrv01[DataCenter_Ncali: children]  
  9. WebServersGroup  
  10. DBServerGroup[DataCenter_Ncali: vars]  
  11. ansible_user = devops   
Now, let’s test with the ping module to see if it all still works fine after all those changes.
 
Ansible
 
Great. 😊 Things are sorted, and we have successfully removed the host's IP addresses and enabled key based authentication.
 

Using Ansible SSH private key variable

 
We have seen that the private and public key by default get stored in the user’s home directory. But what if we have stored the keys in a different path or if the private key to log in to the target machines are different for different machines?
 
So, in all those cases we can make use of a very significant variable named “ansible_ssh_private_key_file”.
 
Thus, we are going to update our inventory file with the path of our private key, though we have the same private key to log in for all the target machines.
 
Updated inventory file will be like.
  1. websrv01  
  2. websrv02  
  3. websrv03  
  4. dbsrv01[WebServersGroup]  
  5. websrv01  
  6. websrv02  
  7. websrv03[DBServerGroup]  
  8. dbsrv01[DataCenter_Ncali: children]  
  9. WebServersGroup  
  10. DBServerGroup[DataCenter_Ncali: vars]  
  11. ansible_user = devops  
  12. ansible_ssh_private_key_file = /home/ubuntu / .ssh / id_rsa  

Summary

 
In this article, we have learned how we can make our inventory file clean and secure by removing the host's IP addresses and removing the clear text password. We have also seen how we can effectively make use of ansible SSH private key for different kind of scenarios. In the next article, we will cover some more interesting topics.
 
I hope you find this article helpful. Stay tuned for more … Cheers!!
 
You can also check out some of my previous articles of the series “Learning Ansible” here,


Similar Articles