Configuring SSH server access for Ansible

This post is a practical guide on how to configure your SSH server access to use Ansible in the simplest and most efficient way.

Written by Erika Heidi on Sunday October 26, 2014 - Permalink - Category: DevOps - Tags: ansible, devops, ssh - Lang: eng

This practical guide will show how to setup SSH keys for a server/VPS so you can use Ansible from your local machine in a very straightforward way.

This is what we want to achieve, in order to make things simple and efficient - no need for extra parameters when running Ansible:

  • Make sure you have a SSH keypair for the current user*
  • Make sure you have a user in the server, with the same username as your current user
  • Make sure the user in the server has sudo permissions without requiring a password

*current user = user you are currently logged in, in your working machine

1. Create a SSH key if you don't have one yet

ssh-keygen -t rsa -C "you@youremail.com"

Follow the instructions to create and store your SSH keypair. More detailed instructions can be found here: do.co/setup-ssh

1.1 DigitalOcean users: add your key to the control panel

It's extremely easy to set up a SSH key when creating a new droplet - you just need to have the SSH key pre-defined in your DigitalOcean account. However, this method assigns the key to the root user, and it's not recommended to run the playbooks as root. You should still use the key, as it's much better and safe than using regular password authentication, and you can quickly login as root for a first time to add a new user that will run the Ansible tasks. 

Check this tutorial for a sep-by-step guide on how to add SSH keys to your DO account and use it for new droplets.

2. Set up a user in the server

Now, add a user in the server, with the same name as your local user - this will make things simpler when running Ansible from your local machine. Define a password - we will need this once, when copying the local SSH key to the server. I'll be using "username" and the server "test.example.com" for example. Change it to your own username and server host or IP address.

Log in as root in the server and add the new user:

$ adduser username

Now we just need to allow this user to use sudo, without requiring a password - this will make things simpler. Run:

$ visudo

And add this to the end of the file:

username ALL=(ALL) NOPASSWD: ALL

Save the file and logout. Now we need to copy the local SSH key to the remote server, by running:

$ ssh-copy-id username@test.example.com

You will be asked to provide the password for username in the server. You will see an output similar to this:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@test.example.com's password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'username@test.example.com'"
and check to make sure that only the key(s) you wanted were added.

After doing this, you should be able to log in just by running:

$ ssh test.example.com

This is ideal because you will be able to run Ansible with default settings, and no need to provide extra parameters and login / password for performing the commands and executing playbooks.

3. Testing the connection

Let's create a new inventory file with this server and run some ansible ad-hoc commands to test the connection. I created a file named simply "test" and added:

[testservers]
test.example.com

Now I can test the connection by running:

$ ansible all -i test -m ping

You should get a response like this:

test.example.com | success >> {
    "changed": false, 
    "ping": "pong"
}

If you get a success response, you are ready to use the Ansible commands and run playbooks directly, without the need to provide extra parameters and sudo password.

Testing Execution with Sudo

$ ansible all -i test -a "sudo apt-get update"

You shoud get a "success" response with the output from the apt-get udpate command.

comments powered by Disqus