Type1: With Ansible Shell module and Typical Commands. In this method, We are not going to use any ansible in-built module and every step is done manually by executing the shell command. The Playbook contains the following tasks. Create an SSH Private and Public Key using ssh-keygen command. Whether this module should manage the directory of the authorized key file. If set to yes, the module will create the directory, as well as set the owner and permissions of an existing directory. Be sure to set managedir=no if you are using an alternate directory for authorizedkeys, as set with path, since you could lock yourself out of SSH.
Contents
- 2 Getting started
- 2.1 Create and run your first playbook
- 3 Creating User accounts
- 4 Automate adding ssh keys to user accounts
- 5 Use lineinfile to update /etc/sudoers for passwordless sudo
We are going to use Ansible to create user accounts and add users to groups, setup them up with access via ssh using by adding their public keys to authorized_key files. For the minimum version of this task we are just going to do four things:
- Create a list of user names
- Create a user account for each user name.
- Add each user’s ssh public key to the account
- Modify
/etc/sudoersso the users can usesudowithout entering a password
The guide has been tested using a new Digital Ocean Ubuntu 17.04 Droplet on the cheapest plan, and everything runs as root when connected to the server via ssh or console (Such as with Digital Ocean’s Console option on the control panel)
For this guide we are going to setup the playbook to run a server directly, using the “local” connection method so when run as root we don’t need to worry about additional authentication or setting up host inventories.
Install Ansible
To get Ansible installed you can just run apt-get install ansible which will install version 2.2. Or check out the Ansible documentation if you want to get the latest version.
Create and run your first playbook
To check everything is working as it should, it’s best to run a barebones playbook with just a ping task which will check your setup using the simplest version of a playbook possible.
Create a file called users.yml with the following snippet, and run it with ansible-playbook users.yml
Don’t worry about the [WARNING]: provided hosts list is empty, only localhost is available message, we are only working with localhost so this is to be expected.
users.yml
Watch it run
Adding a list of users to the playbook vars
At the top of the playbook, we add a simple list of usernames.
vars
Full users.yml
Now we have a list of usernames in a variable, we can use that to create user accounts.
In it’s simplest form the Ansible User Module just needs to be given a name, and we can use the with_items to apply our list to the module in a loop.
When using with_items the value becomes available as item, in it’s simplest form you '{{ item }}' will use the item value for a module property.
So our users are more useful, we are also going to add the groups admin and www-data to each user.
user task
Full file
Watch it run
Ansible Generate_ssh_key
The newly created user accounts on a server don’t have passwords set, so to be able to log in we need to add each users ssh key to their authorize_keys file. We can do this using Ansible’s Authorized Key Moduleauthorized_key that takes user and a file in key.
key takes a file, which can be loaded using the lookup('file','path to file') function. In this code, we put the public SSH keys in files/username.key.pub. By having the file names match to the username we can use the same users var for the loop without needing to add additional parameters at this stage.
Exit_json Ansible
authorized_key task
Dir contents
Full users.yml
Watch it run
Now your users can login with their ssh keys, but won’t be able to do any server admin with sudo because without passwords set, they can’t enter their password when prompted when they use the command as per the default behaviour. To get around this limitation, we can update /etc/sudoers with Ansible’s lineinfile Module.
This simple implementation of the lineinfile looks for a line starting with – represented in a regexp as ^ – with the string %admin and then ensures it matches the line%admin ALL=(ALL) NOPASSWD: ALL
Once in place, any users in the admin group will no longer be prompted for a password when using sudo
lineinfile task
Full users.yml
Ansible Add Ssh Key
Next Steps: Creating a Viable Version
Ansible Generate_ssh_key Module 2
The next part of this guide steps up to the Viable version, by defining expanding the vars to have multiple properties per item using complex vars to add groups per user, using user state for a method to disable users accounts. The improved playbook also introduces handlers and notify to restart services when the configuration changes. Improve the user management playbook in the next guide.