Ansible - openssh_cert module

If you are not familiar with modules, check out Ansible - Getting Started with Modules.

The openssh_cert module can be used to create a public certificate (such as new_cert.pub) using an existing public key (such as id_rsa.pub) and an existing private key (such as id_rsa). Or, the openssh_keypair module can be used to create a public certificate (such as id_rsa.pub) and private key (such as id_rsa). After generating a new certificate, you may want to use the authorized_key module to append the certificate to authorized_keys files.

- name: Create the new_cert.pub public certificate
  openssh_cert:
    type: user
    signing_key: /home/john.doe/.ssh/id_rsa
    public_key: /home/john.doe/.ssh/id_rsa.pub
    path: /home/john.doe/.ssh/new_cert.pub
    valid_from: always
    valid_to: forever

 

Optional parameters:

  • force - When "no" is used, which is what is used when this parameter is not used, if the certificate already exists, a new certificate will not be generated. When "yes" is used, if the certificate already exists, a new certificate will be created.
  • owner (e.g. owner: "john.doe")
  • group (e.g. group: "john.doe")
  • mode (e.g. mode: "0644")
  • regenerate - whether or not to regenerate the private key (see ansible-doc openssh_keypair --snippet)
  • seuser - SELinux user (e.g. seuser: "unconfined_u")
  • serole - SELinux role (e.g. serole: "object_r")
  • setype - SELinux type (e.g. setype: "ssh_t")
  • selevel - SELinux level (e.g. selevel: "s0")
  • state - present (to create the certificate) or absent (to delete the certifcate)
  • type - user, host

 

Example:

- name: "Create the new_cert.pub public certificate"
  openssh_cert:
    force: "no"
    owner: "john.doe"
    group: "john.doe"
    mode: "0644"
    path: "/home/john.doe/.ssh/new_cert.pub"
    public_key: "/home/john.doe/.ssh/id_rsa.pub"
    seuser: "unconfined_u"
    serole: "object_r"
    setype: "httpd_sys_content_r"
    selevel: "s"
    signing_key: "/home/john.doe/.ssh/id_rsa"
    state: "present"
    type: "user"
    valid_from: always
    valid_to: forever

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.





Please enter 45f5e in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |