I made an SSH key version of the Ansible Playbook posted in this article.
Create a large number of serial number users, for example for developers. However, I want to use key authentication instead of password authentication.
Playbook
The beginning is almost the same as the previous article. The initial password variable is unnecessary and has been deleted.
usercreate_withkey.yml
---
- name: Create many user
hosts: localhost
vars:
user_num_data: "{% for n in range(10) %}{{n+1}},{% endfor %}"
user_num: "{{ user_num_data.split(',') }}"
pre_id: 50
pre_name: devuser
common_group: devgroup
tasks:
- name: Common group is created
group:
name: '{{ common_group }}'
gid: '{{ pre_id }}00'
state: present
- name: Groups are created
group:
name: '{{ pre_name }}{{ item.zfill(2) }}'
gid: '{{ pre_id }}{{ item.zfill(2) }}'
state: present
with_items:
- '{{ user_num[:-1] }}'
In the user creation, change it to specify generate_ssh_key: true and ssh_key_bits: 4096.
usercreate_withkey.yml
- name: Users are created
user:
name: '{{ pre_name }}{{ item.zfill(2) }}'
group: '{{ pre_name }}{{ item.zfill(2) }}'
groups: '{{ pre_name }}{{ item.zfill(2) }}, {{ common_group }}'
uid: '{{ pre_id }}{{ item.zfill(2) }}'
state: present
generate_ssh_key: true
ssh_key_bits: 4096
with_items:
- '{{ user_num[:-1] }}'
register: usercreated
Next, create a ~ / .ssh / authorized_keys for each user you created. By the way, the reason why it is set to ʻitem.invocation.module_args.name instead of ʻitem.name is to prevent an error in Check mode (Dry run).
usercreate_withkey.yml
- name: authorized_keys files are created
copy:
src: '/home/{{ item.invocation.module_args.name }}/.ssh/id_rsa.pub'
dest: '/home/{{ item.invocation.module_args.name }}/.ssh/authorized_keys'
owner: '{{ item.invocation.module_args.name }}'
group: '{{ item.invocation.module_args.name }}'
mode: '0600'
remote_src: true
with_items:
- '{{ usercreated.results }}'
when:
- item.changed
- item.invocation.module_args.state == "present"
loop_control:
label: "{{ item.invocation.module_args.name }}"
Finally, collect the created user's private key in / tmp. (Aside from the question of how to distribute the private key in the first place ...)
usercreate_withkey.yml
- name: Secret key files are copied
copy:
src: '/home/{{ item.invocation.module_args.name }}/.ssh/id_rsa'
dest: '/tmp/id_rsa_{{ item.invocation.module_args.name }}'
owner: root
group: root
mode: '0644'
remote_src: true
with_items:
- '{{ usercreated.results }}'
when:
- item.changed
- item.invocation.module_args.state == "present"
loop_control:
label: "{{ item.invocation.module_args.name }}"
The execution result of ansible-playbook is as follows.
$ ansible-playbook -i inventories/test usercreate_withkey.yml
PLAY [Create many user] ************************************************************************************************
TASK [Gathering Facts] *************************************************************************************************
ok: [localhost]
TASK [Common group is created] *****************************************************************************************
ok: [localhost]
TASK [Groups are created] **********************************************************************************************
changed: [localhost] => (item=1)
changed: [localhost] => (item=2)
changed: [localhost] => (item=3)
changed: [localhost] => (item=4)
changed: [localhost] => (item=5)
changed: [localhost] => (item=6)
changed: [localhost] => (item=7)
changed: [localhost] => (item=8)
changed: [localhost] => (item=9)
changed: [localhost] => (item=10)
TASK [Users are created] ***********************************************************************************************
changed: [localhost] => (item=1)
changed: [localhost] => (item=2)
changed: [localhost] => (item=3)
changed: [localhost] => (item=4)
changed: [localhost] => (item=5)
changed: [localhost] => (item=6)
changed: [localhost] => (item=7)
changed: [localhost] => (item=8)
changed: [localhost] => (item=9)
changed: [localhost] => (item=10)
TASK [authorized_keys files are created] *******************************************************************************
changed: [localhost] => (item=devuser01)
changed: [localhost] => (item=devuser02)
changed: [localhost] => (item=devuser03)
changed: [localhost] => (item=devuser04)
changed: [localhost] => (item=devuser05)
changed: [localhost] => (item=devuser06)
changed: [localhost] => (item=devuser07)
changed: [localhost] => (item=devuser08)
changed: [localhost] => (item=devuser09)
changed: [localhost] => (item=devuser10)
TASK [Secret key files are copied] *************************************************************************************
changed: [localhost] => (item=devuser01)
changed: [localhost] => (item=devuser02)
changed: [localhost] => (item=devuser03)
changed: [localhost] => (item=devuser04)
changed: [localhost] => (item=devuser05)
changed: [localhost] => (item=devuser06)
changed: [localhost] => (item=devuser07)
changed: [localhost] => (item=devuser08)
changed: [localhost] => (item=devuser09)
changed: [localhost] => (item=devuser10)
PLAY RECAP *************************************************************************************************************
localhost : ok=6 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
The private key is collected in / tmp, and you can log in with that private key.
$ ls -l /tmp/id_rsa*
-rw-r--r-- 1 root root 3247 Apr 27 22:42 /tmp/id_rsa_devuser01
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser02
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser03
-rw-r--r-- 1 root root 3247 Apr 27 22:42 /tmp/id_rsa_devuser04
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser05
-rw-r--r-- 1 root root 3247 Apr 27 22:42 /tmp/id_rsa_devuser06
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser07
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser08
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser09
-rw-r--r-- 1 root root 3243 Apr 27 22:42 /tmp/id_rsa_devuser10
$ ssh -i /tmp/id_rsa_devuser01 devuser01@localhost
Last login: Mon Apr 27 22:46:46 2020 from ::1
$
that's all. Now, how should we distribute this private key ...
Recommended Posts