Re: [ansible-project] Management of multiple exclusive authorized_keys entries, for multiple users

[Daniel Nägele]

Hi,

I am using the assemble module, like this:

```yaml
- name: ssh keys for root
  assemble: src=. dest=/root/.ssh/authorized_keys owner=root group=root 
mode=0600 remote_src=false
```

This ensures a synced set of SSH keys from a dir in my playbook repo, where all 
stale keys are being removed and all modifications are detected. This makes use 
of the fact that SSH accepts multiple keys in a single file. 

Best regards,
Daniel

On Fri, 11 Dec 2015 07:11:27 -0800 (PST)
cmacrae  wrote:

> Hi everyone.
> 
> I've been mulling something over in my head, I've got something I want to 
> tackle, but I'm not sure how to go about doing so.
> 
> Here's the scenario: I want to put together a tiny role that manages user's 
> authorized keys. Keys defined in the inventory 
> (host_vars/group_vars/playbook vars, etc.) should be the only ones present 
> in the user's authorized_keys file.
> 
> I have some keys specified like so:
> 
> root_ssh_public_keys:
>   member1:
> pubkey: ssh-rsa 
> B3NzaC1yc2EBIwAAAQEAvVO3ULx8fNGgInHCFQV6w/gEARBWyS9eA1qRaTEu4njawEjiqSGFHgPuvmgtKlft2MqbnCG3cokFKRAEOZEzy+jUMES8IQEHuSsJuZFnlUC4yzm1mI1OjJk9PwTLDD6OGJDL1gIkz37CYITbsaufS6gFrpoMBZhkVcVKk0JBnmwF/QZUD1uHKFLMtyVwvw8pzWcBcAYBBw5O6hjo2pRIX100bCdMxDrXwFp4yFiJPG6LCya4701whZpqgwk3d/RakJdZLA3pgAlVPZswz8ezj2U5PIYJl+LrUaPE57ZR/eVwNnBE7QPsKCCurIy1bLR0KXiqOmUzdzWDphYCelRurQ==
>  member1
>   member2:
> pubkey: ssh-rsa 
> B3NzaC1yc2EBIwAAAQEAtkScC/o1aDxaXFJdyTMhlF4UewNO/tdQf6EIYJzikSBNKECBjmvrM6bNaIkWA/AzB2dgTS0mug2aVomsBeyN8gAGfV/Wi3bO1kXuI23BmkPUn36OgE5ppQ0O2Gp8VjJaffV9EiYeEY/QlwnshAS9gfDPeTO+u5f0ZP0TZw29m+F3CKIJWPruDJJvXMkyc5qokh5kUpm0qYlhGyDi596st3Gsh/9LF/I2sEJH3LTP0gs0bWjbHN9XcIw8gbPT50zNZvqv9FGvgsMCErYC5lwPVN1670cpOpqLYV4PgU77t751CE9RsmASeB6Elwh0pAKlfxzITBx4W6aVxkl8Utlblw==
>  member2
>   member3:
> pubkey: ssh-rsa 
> B3NzaC1yc2EBIwAAAQEA2nyE+baFvebdFqiuEEjGYtLHxgduypfBg1laG8DP9Re0ln0lIJRsTw2HoB1giKRpkLXUdYkS+QVkzP0oZCNRZWuEgIuJnL8vl6c0S53UaFTNbZliIuSQLSPsEbQfIu1lQ9voZG2pwJQTj4yICnr29dSPs6ef4n8pox7hhDZSf6LBrrWWc51WYrZwXCSeDstqq53goCKLeujSZ6Ww3T7Ac17OzyhIQCl0x1w8LlcMshaczPKbFLxgLltIF8OmX9PLHuX0enFOVGKyRW66MIIyHuK65gxY/+8mjrzTw9aWOiQVvYZsjuzqBIBQy4h85ex8wF0xztR50D2ylvrbXSNl2w==
>  member3
> 
> 
> Currently, I have this task that deploys them and ensures they're the only 
> keys in the root user's authorized_keys list:
> 
>   - name: "Ensure team pubkeys are in root's authorized_keys"
> authorized_key:
>   user: root
>   manage_dir: yes
>   exclusive: yes
>   key: |
> {% for _, user in root_ssh_public_keys.items()%}
> {% for _, key in user.items() %}
> {{ key }}
> {% endfor %}
> {% endfor %}
> tags: ssh_keys
> 
> Now, what I want to be able to do is chuck this into a little role, and 
> have it be usable for any user definitions.
> So, say I had a system with the user 'example' on, and I wanted to specify 
> some keys I want that user to have in their authorized_keys list.
> I could go to that system's host_vars and add the following:
> 
> example_ssh_public_keys:
>   someone:
> pubkey: ssh-rsa 
> B3NzaC1yc2EBIwAAAQEAvVO3ULx8fNGgInHCFQV6w/gEARBWyS9eA1qRaTEu4njawEjiqSGFHgPuvmgtKlft2MqbnCG3cokFKRAEOZEzy+jUMES8IQEHuSsJuZFnlUC4yzm1mI1OjJk9PwTLDD6OGJDL1gIkz37CYITbsaufS6gFrpoMBZhkVcVKk0JBnmwF/QZUD1uHKFLMtyVwvw8pzWcBcAYBBw5O6hjo2pRIX100bCdMxDrXwFp4yFiJPG6LCya4701whZpqgwk3d/RakJdZLA3pgAlVPZswz8ezj2U5PIYJl+LrUaPE57ZR/eVwNnBE7QPsKCCurIy1bLR0KXiqOmUzdzWDphYCelRurQ==
>  someone
>   someone_else:
> pubkey: ssh-rsa 
> B3NzaC1yc2EBIwAAAQEAtkScC/o1aDxaXFJdyTMhlF4UewNO/tdQf6EIYJzikSBNKECBjmvrM6bNaIkWA/AzB2dgTS0mug2aVomsBeyN8gAGfV/Wi3bO1kXuI23BmkPUn36OgE5ppQ0O2Gp8VjJaffV9EiYeEY/QlwnshAS9gfDPeTO+u5f0ZP0TZw29m+F3CKIJWPruDJJvXMkyc5qokh5kUpm0qYlhGyDi596st3Gsh/9LF/I2sEJH3LTP0gs0bWjbHN9XcIw8gbPT50zNZvqv9FGvgsMCErYC5lwPVN1670cpOpqLYV4PgU77t751CE9RsmASeB6Elwh0pAKlfxzITBx4W6aVxkl8Utlblw==
>  someone_else  
> 
> 
> Notice the variable name is 'example_ssh_public_keys'.
> In my task above, I need a way of dynamically defining both the 'user' 
> parameter value (shown above as 'root') and the dictionary I'm operating on 
> (shown above as 'root_ssh_public_keys').
> 
> My point being I need this to be re-usable for different users.
> 
> Am I going about this in a really stupid manner? What would be the best way 
> to approach this?
> 
> Thanks in advance for any help!
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ansible-project+unsubscr...@googlegroups.com.
> To post to this group, send email to ansible-project@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/ansible-project/84e4429a-c376-42fc-a477-4b2f05b36722%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to

[ansible-project] Management of multiple exclusive authorized_keys entries, for multiple users

[cmacrae]

Hi everyone.

I've been mulling something over in my head, I've got something I want to 
tackle, but I'm not sure how to go about doing so.

Here's the scenario: I want to put together a tiny role that manages user's 
authorized keys. Keys defined in the inventory 
(host_vars/group_vars/playbook vars, etc.) should be the only ones present 
in the user's authorized_keys file.

I have some keys specified like so:

root_ssh_public_keys:
  member1:
pubkey: ssh-rsa 
B3NzaC1yc2EBIwAAAQEAvVO3ULx8fNGgInHCFQV6w/gEARBWyS9eA1qRaTEu4njawEjiqSGFHgPuvmgtKlft2MqbnCG3cokFKRAEOZEzy+jUMES8IQEHuSsJuZFnlUC4yzm1mI1OjJk9PwTLDD6OGJDL1gIkz37CYITbsaufS6gFrpoMBZhkVcVKk0JBnmwF/QZUD1uHKFLMtyVwvw8pzWcBcAYBBw5O6hjo2pRIX100bCdMxDrXwFp4yFiJPG6LCya4701whZpqgwk3d/RakJdZLA3pgAlVPZswz8ezj2U5PIYJl+LrUaPE57ZR/eVwNnBE7QPsKCCurIy1bLR0KXiqOmUzdzWDphYCelRurQ==
 member1
  member2:
pubkey: ssh-rsa 
B3NzaC1yc2EBIwAAAQEAtkScC/o1aDxaXFJdyTMhlF4UewNO/tdQf6EIYJzikSBNKECBjmvrM6bNaIkWA/AzB2dgTS0mug2aVomsBeyN8gAGfV/Wi3bO1kXuI23BmkPUn36OgE5ppQ0O2Gp8VjJaffV9EiYeEY/QlwnshAS9gfDPeTO+u5f0ZP0TZw29m+F3CKIJWPruDJJvXMkyc5qokh5kUpm0qYlhGyDi596st3Gsh/9LF/I2sEJH3LTP0gs0bWjbHN9XcIw8gbPT50zNZvqv9FGvgsMCErYC5lwPVN1670cpOpqLYV4PgU77t751CE9RsmASeB6Elwh0pAKlfxzITBx4W6aVxkl8Utlblw==
 member2
  member3:
pubkey: ssh-rsa 
B3NzaC1yc2EBIwAAAQEA2nyE+baFvebdFqiuEEjGYtLHxgduypfBg1laG8DP9Re0ln0lIJRsTw2HoB1giKRpkLXUdYkS+QVkzP0oZCNRZWuEgIuJnL8vl6c0S53UaFTNbZliIuSQLSPsEbQfIu1lQ9voZG2pwJQTj4yICnr29dSPs6ef4n8pox7hhDZSf6LBrrWWc51WYrZwXCSeDstqq53goCKLeujSZ6Ww3T7Ac17OzyhIQCl0x1w8LlcMshaczPKbFLxgLltIF8OmX9PLHuX0enFOVGKyRW66MIIyHuK65gxY/+8mjrzTw9aWOiQVvYZsjuzqBIBQy4h85ex8wF0xztR50D2ylvrbXSNl2w==
 member3


Currently, I have this task that deploys them and ensures they're the only 
keys in the root user's authorized_keys list:

  - name: "Ensure team pubkeys are in root's authorized_keys"
authorized_key:
  user: root
  manage_dir: yes
  exclusive: yes
  key: |
{% for _, user in root_ssh_public_keys.items()%}
{% for _, key in user.items() %}
{{ key }}
{% endfor %}
{% endfor %}
tags: ssh_keys

Now, what I want to be able to do is chuck this into a little role, and 
have it be usable for any user definitions.
So, say I had a system with the user 'example' on, and I wanted to specify 
some keys I want that user to have in their authorized_keys list.
I could go to that system's host_vars and add the following:

example_ssh_public_keys:
  someone:
pubkey: ssh-rsa 
B3NzaC1yc2EBIwAAAQEAvVO3ULx8fNGgInHCFQV6w/gEARBWyS9eA1qRaTEu4njawEjiqSGFHgPuvmgtKlft2MqbnCG3cokFKRAEOZEzy+jUMES8IQEHuSsJuZFnlUC4yzm1mI1OjJk9PwTLDD6OGJDL1gIkz37CYITbsaufS6gFrpoMBZhkVcVKk0JBnmwF/QZUD1uHKFLMtyVwvw8pzWcBcAYBBw5O6hjo2pRIX100bCdMxDrXwFp4yFiJPG6LCya4701whZpqgwk3d/RakJdZLA3pgAlVPZswz8ezj2U5PIYJl+LrUaPE57ZR/eVwNnBE7QPsKCCurIy1bLR0KXiqOmUzdzWDphYCelRurQ==
 someone
  someone_else:
pubkey: ssh-rsa 
B3NzaC1yc2EBIwAAAQEAtkScC/o1aDxaXFJdyTMhlF4UewNO/tdQf6EIYJzikSBNKECBjmvrM6bNaIkWA/AzB2dgTS0mug2aVomsBeyN8gAGfV/Wi3bO1kXuI23BmkPUn36OgE5ppQ0O2Gp8VjJaffV9EiYeEY/QlwnshAS9gfDPeTO+u5f0ZP0TZw29m+F3CKIJWPruDJJvXMkyc5qokh5kUpm0qYlhGyDi596st3Gsh/9LF/I2sEJH3LTP0gs0bWjbHN9XcIw8gbPT50zNZvqv9FGvgsMCErYC5lwPVN1670cpOpqLYV4PgU77t751CE9RsmASeB6Elwh0pAKlfxzITBx4W6aVxkl8Utlblw==
 someone_else  


Notice the variable name is 'example_ssh_public_keys'.
In my task above, I need a way of dynamically defining both the 'user' 
parameter value (shown above as 'root') and the dictionary I'm operating on 
(shown above as 'root_ssh_public_keys').

My point being I need this to be re-usable for different users.

Am I going about this in a really stupid manner? What would be the best way 
to approach this?

Thanks in advance for any help!

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/84e4429a-c376-42fc-a477-4b2f05b36722%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.