Managing SSH keys efficiently is crucial for maintaining secure access to your servers. The Ansible authorized_key module simplifies this task by automating the process of adding and removing SSH keys on remote systems. This module allows you to manage key-based authentication without manual intervention. This will reducing the risk of human error and ensuring consistency across your infrastructure.
This guide will walk you through the process of managing SSH keys using Ansible.
Table of Contents
Understanding Ansible authorized_key Module
The basic syntax of the Ansible authorized_key module looks like this:
- name: Manage SSH keys
ansible.builtin.authorized_key:
user: username
state: state
key: ssh_keyHere is a brief explanation:
- user: (required) The username of the user for whom the SSH key is being managed.
- state: (optional, default: present) Indicates whether the key should be present or absent in the user’s authorized_keys file.
- key: (required if state=present) The SSH public key to add or remove. This can be provided as a string or you can use the lookup plugin to read the key from a file.
Adding SSH Keys
Adding SSH keys to a remote host is a common task. It allows secure access to the host. Below are examples of how to add SSH keys using Ansible.
Example 1: Adding a Single SSH Key
To add a single SSH key for a user, use the following playbook:
---
- name: Add SSH Key for User
hosts: all
become: yes
tasks:
- name: Add authorized key for user
ansible.builtin.authorized_key:
user: johndoe
state: present
key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7X... your_key_comment"In this playbook.
- hosts: all specifies that the task should run on all hosts in the inventory.
- become: yes allows the task to run with sudo privileges.
- The task adds the specified SSH key to the Johndoe user’s ~/.ssh/authorized_keys file.
Example 2: Adding Multiple SSH Keys
To add multiple SSH keys, you can use a list and loop through each key:
---
- name: Add Multiple SSH Keys for User
hosts: all
become: yes
vars:
ssh_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key1_comment"
- "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key2_comment"
tasks:
- name: Add authorized keys for user
ansible.builtin.authorized_key:
user: johndoe
state: present
key: "{{ item }}"
loop: "{{ ssh_keys }}"In this playbook.
- A variable ssh_keys is defined with a list of SSH keys.
- The task loops through each key and adds it to the johndoe user’s ~/.ssh/authorized_keys file.
Removing SSH Keys
Removing SSH keys is important for revoking access. Below are examples of how to remove SSH keys using Ansible.
Example 1: Removing a Single SSH Key
To remove a single SSH key for a user, use the following playbook:
---
- name: Remove SSH Key for User
hosts: all
become: yes
tasks:
- name: Remove authorized key for user
ansible.builtin.authorized_key:
user: johndoe
state: absent
key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... your_key_comment"In this playbook.
- The task removes the specified SSH key from the johndoe user’s ~/.ssh/authorized_keys file.
Example 2: Removing Multiple SSH Keys
To remove multiple SSH keys, you can use a list and loop through each key:
---
- name: Remove Multiple SSH Keys for User
hosts: all
become: yes
vars:
ssh_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key1_comment"
- "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... key2_comment"
tasks:
- name: Remove authorized keys for user
ansible.builtin.authorized_key:
user: johndoe
state: absent
key: "{{ item }}"
loop: "{{ ssh_keys }}"In this playbook.
- The task loops through each key and removes it from the johndoe user’s ~/.ssh/authorized_keys file.
Verifying SSH Key Existence
Verifying the existence of an SSH key is useful. It helps ensure that the key is present before performing other tasks. Here’s how to verify the existence of an SSH key.
---
- name: Verify SSH Key Existence
hosts: all
become: yes
tasks:
- name: Check if SSH key is present
ansible.builtin.stat:
path: /home/johndoe/.ssh/authorized_keys
register: authorized_keys_file
- name: Debug authorized keys file
debug:
var: authorized_keys_fileIn this playbook.
- The stat module checks if the authorized_keys file exists for the user.
- The debug task prints the status of the authorized_keys file.
Real-World Use Case
Imagine you need to grant temporary access to a contractor. You can add their SSH key for a limited time and remove it after the project is complete.
This playbook temporarily grants SSH access to a user named Johndoe by adding a contractor’s SSH key. It then waits for one hour and removes the key to revoke access.
---
- name: Grant Temporary Access
hosts: all
become: yes
tasks:
- name: Add contractor's SSH key
ansible.builtin.authorized_key:
user: johndoe
state: present
key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... contractor_key"
- name: Wait for 1 hour
pause:
minutes: 60
- name: Remove contractor's SSH key
ansible.builtin.authorized_key:
user: johndoe
state: absent
key: "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEArZ... contractor_key"Conclusion
Managing SSH keys with Ansible provides a secure and efficient way to control access to your servers. The authorized_key module allows you to automate the process of adding and removing SSH keys. This ensures that only authorized users can access your systems.
FAQs
1. Can I remove an SSH key from a remote server using the authorized_key module?
Yes, you can remove an SSH key by using the state: absent parameter with the authorized_key module, along with the specific key or key file.
2. Is it possible to manage multiple keys for a user using the authorized_key module?
Yes, you can add multiple SSH keys by defining multiple tasks in your playbook, each specifying a different key or using a loop.
3. Can I use a key file instead of directly specifying the SSH key in the playbook?
Yes, use the keyfile parameter to reference a file containing the public key rather than specifying the key directly.
4. How can I verify if an SSH key was successfully added to a remote server?
You can use the stat module or shell command to check the ~/.ssh/authorized_keys file and confirm that the key was added.
