Ansible and SSH Considerations
Ansible has become a well-known contender in the automation game. Ansible’s fame comes from the fact that it is lightweight and simple. There is no agent required for effective automation when it comes to Ansible! You simply install Ansible on your control server, run through a quick configuration, and you are automating your entire environment configuration!
You might ask yourself, what exactly is meant by a “quick configuration”? Glad you asked. The default configuration file in Ansible is turn key. You need to add some DNS names to your inventory file in /etc/ansible/hosts and then all that is left is providing Ansible access to your servers.
Ansible relies on SSH for executing commands against remote Linux hosts. That means in order to leverage Ansible, you must configure this SSH access for the software such that you can overcome a password prompt automatically. Some less experienced Linux users may be intimidated by this prospect. The good news is that the configuration required for automatic SSH is dead simple. The better news is that I am going to break it down right here.
SSH Configuration in a nutshell
While SSH authentication uses a password out of the box, it is possible to set up what is known as pre-shared key authentication with SSH. In this method of authentication, a public / private keypair is created for a given user. The public key is stored inside of a special directory in the user’s home folder on any server they desire to access with key authentication. The private key is kept in the user’s home directory on the host which the user will be logging on from. The source host, if you will. Once all of the keys are in the right place, the SSH program does the rest for you!
Creating the user
The first step is creating a user that Ansible will operate as. Generally, the username ansible is a popular choice. You can pick the name you like, just be sure that you create the user on each system where Ansible will be operating. Depending on your distribution you can use the useradd program (on CentOS or Red Hat) or the adduser program (popular with Debian). The command is as simple as sudo useradd ansible. You will want to set the user's password using sudo passwd ansible if you are running a Red Hat based distribution. The adduser program will set the user password by default.
The keys to the castle
Once you have a user created, you will need to create the keypair for that user. On most Linux distributions, you can create and distribute keys using a couple of built-in utilities. The first one is called ssh-keygen and it is used to create your keypair. To start this process, log on to your Ansible control server as the ansible user (sudo -i -u ansible or su - ansible). Once you are the ansible user, all you need to do is run ssh-keygen. This will prompt you for where you want to keep the keys and optionally for a passphrase for your private key. The default settings are fine for our purposes so you can press enter to accept them. After the command completes, your keypair is created!
Now you need to distribute the public key to the servers you wish you log in to as ansible. This is where the next utility, ssh-copy-id, comes into play. While still logged in to your Ansible control server as the ansible user, you simply run ssh-copy-id ansible@target-server where target-server is the DNS name of the server you would like to push your public key to. You will be prompted for the password of the ansible user here but it should be the last time!
Apart from the advanced user home configuration, you will need to run ssh-copy-id for each server you would like to be able to connect to as ansible using your key.
More on Ansible
You are ready to automate all the things with Ansible using your SSH keys! As long as you execute all Ansible tasks as the ansible user on your control server, you will not have to provide an SSH password.
If you are interested in some of the more robust features Ansible brings to bear, check out Ansible Quick Start for a fast spin up on how you can configure and use Ansible in your environment. Otherwise, here are some other free resources I’d recommend you read:
