Ansible : Private/Public Keys and SSH Agent setup

Ansible is an agentless architecture based automation tool . Only it needs ssh authentication using Ansible Control Machine private/public key pair.

Ansible Control Machine: Server where Ansible is installed.

RemoteNode: Server where we want to ssh from ansible host.

Ansible Control Machine establishes a SSH connection to Remote Node with the help of its private/public key. We need three tools to make SSH password-less connection between Ansible control Machine and Remote Node.

1. ssh-keygen
2. ssh-agent
3. ssh-add

ssh-keygen tool is used to generate private/public key pair for ssh. By default, tool generates the private (id_rsa) and public (id_rsa.pub) keys in ~/.ssh/ directory. We can generate the keys using dsa algorithm as well. These key-pairs are used for password-less login, Single sign On and hosts authentication.

Key generation : ssh-keygen -t rsa

Key Deployment:

Deploy the ~/.ssh/id_rsa.pub key from Ansible control machine to Remote Node in a file ~/.ssh/authorized_keys. Match the contents of ~/.ssh/authorized_keys and id_rsa.pub. There should not be any difference.

Now, we are ready with SSH connection authentication. But whenever we try to connect from Ansible control machine to Remote Node, it will ask for the private key password which we have provided while generating keys using ssh-keygen. To avoid this problem we will use other two tools.

ssh-agent: It is an authentication agent which handles all the private keys password. ssh-agent command initiates a ssh agent background program which we will be used later to store private keys password.You will notice the below output on terminal. Add the output in .bash_profile to always load it automatically.

ssh-add: It is a ssh tool used to add private keys identity to authentication agent.

AnsibleControlMachine:~$ ssh-add ~/.ssh/id_rsa

Once private keys added to ssh-agent, We will be able to ssh to RemoteNode from AnsibleControlMachine without passing the password or any other key information.

AnsibleControlMachine:~$ssh user@RemoteNode
RemoteNode:~echo “Welcome to RemoteNode”

Test Sample ansible command:

ansible -v RemoteNode -m ping -u user

It should respond with message pong.

Now we’re good to go.