Bootstrap FreeKB - Ansible - Getting Started with SSH
Ansible - Getting Started with SSH

Updated:   |  Ansible articles

By default, Ansible uses SSH to connect to managed nodes (e.g. target systems). For this reason, Ansible typically requires relatively easy configuration to run against Linux servers, since most Linux servers are setup with SSH. On the other hand, Windows servers can take a bit of planning, setup, and configuration since typically WinRM (Windows Remote Management) is used instead of SSH for Windows hosts.

 

The ansible-doc command can be used to display the different type of protocols that can be used, such as SSH, Paramiko SSH, local, and so on. The --connection command line option can be used to specify the connection plugin that is used.

ansible-playbook foo.yml --connection=ssh

 

Or you could define the connection plugin to use in your default inventory file.

[all:vars]
ansible_connection=paramiko_ssh

 


SSH user

When using the ansible-playbook command, there are numerous ways to define the user that will make the SSH connection.

If none of the above are used, the user that invokes the ansible-playbook command will be the user that is used for the SSH connection.


Known hosts

When making an SSH connection to a server, if the SSH key of the server (server1.example.com in this example) is not listed in the /etc/ssh/ssh_known_hosts or /home/username/.ssh/known_hosts file on the control node (your Ansible server), a prompt will appear stating The authenticity of host 'hostname (ip address)' can't be established, like this.

The authenticity of host 'server1.example.com (10.115.55.189)' can't be established
DSA key fingerprint is BB37 83F2 5E3A 7A4C 6C84  F047 D97B DD4E 38BB 2082
Are you sure you want to continue connecting (yes/no)?

 

Typing yes and pressing enter will append the key of the managed node to the known hosts file on the control node. Or, the known_hosts module can be used to append the managed nodes key to your known hosts file.

 


Authentication

SSH has a couple different authentication method.

  • Password authentication
  • Public/Private key authentication

It's important to recognize that the SSH connection will be made as a certain user. In this example, since remote_user: john.doe is included, then the SSH authentication will be for john.doe.

---
- hosts: all
  remote_user: john.doe
  tasks:
  - file:
      path: /tmp/foo.txt
      state: touch
...

 

If you attempt to make a connection to a managed node and Ansible has not been configured for SSH, UNREACHABLE most likely be returned. Notice in this example that the SSH server can accept john.doe SSH key (publickey) or john.doe SSH password.

server1.example.com | UNREACHABLE! => {	
    "changed": false,
    "msg": "john.doe@server1.example.com Failed to connect to the host via ssh: Permission denied (publickey, password).",
    "unreachable": true 
}

 

Password authentication

If the SSH server is configured to accept password authentication, the following options can be used.

Passwordless authentication

If the SSH server is configured to accept passwordless authentication, and the managed nodes are a Linux distribution, and OpenSSH is being used on each managed node, the ssh-keygen command can be used to create your users private key (such as id_rsa) and public certificate (such as id_rsa.pub) on the control node. While you could use the openssh_keypair module or user module with the delegate_to: localhost parameter to create your users keypair, this usually doesn't make much since, since the generation of your users keypair is typically a one time task.

ssh-keygen

 

Then the authorized_key module with the --ask-pass can be used to append the users public key to the managed nodes authorized_keys file.

[root@control ~] ansible-playbook ssh.yml --ask-pass

 

If you are not root, you may need to use the become command line flags.

[john.doe@control ~] ansible-playbook ssh.yml --ask-pass --become --become-method=sudo --become-user=root --ask-become-pass

 

If you are connecting to a managed node as some other user, you may need to include remote_user in the playbook.

---
- hosts: aws
  remote_user: ec2-user
  tasks:
  - name: touch /tmp/foo.txt
    file:
      path: /tmp/foo.txt
      state: touch
...

 

After this has been done, then passwordless SSH connections can be made to the managed node without having to use the --ask-pass flag.

[root@control ~] ansible-playbook ssh.yml

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter d2770a in the box below so that we can be sure you are a human.