Skip to content

Automate Security: Enable SSH Key Authentication on All Hosts with Ansible

Published on December 7, 2023

Secure Shell (SSH) is a widely used protocol for secure remote access to servers. One way to enhance the security of your servers is by using SSH key authentication instead of traditional password-based authentication. With Ansible, a powerful automation tool, you can easily configure SSH key authentication on multiple hosts. In this guide, we will walk you through the process of enabling SSH key authentication using your Ansible playbook and configurations.

SSH key authentication is a secure method for accessing remote servers. A user generates a key pair, keeps the private key locally, and distributes the public key to servers. During connection, the client proves its identity by offering the public key, and the server checks for a match in its authorized_keys file. If successful, access is granted without the need for a password, ensuring a secure and streamlined authentication process.

To generate an SSH key pair, you can use the ssh-keygen command, which is a standard tool included with most Unix-like operating systems, including Linux and macOS. Here are the steps to generate an SSH key pair:

  1. Open a terminal or command prompt on your local machine.
  2. Use the following command to generate an SSH key pair:
ssh-keygen -t rsa -b 2048

To generate an SSH key pair, you can use the ssh-keygen command, which is a standard tool included with most Unix-like operating systems, including Linux and macOS. Here are the steps to generate an SSH key pair:

  1. Open a terminal or command prompt on your local machine.
  2. Use the following command to generate an SSH key pair:bashCopy codessh-keygen -t rsa -b 2048 This command specifies the key type (-t rsa) and the number of bits in the key (-b 2048). You can adjust the key size as needed.
  3. You will be prompted to enter a file path to save the key pair. The default location is usually ~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key. Press Enter to accept the default or specify a different path.
  4. You can also enter a passphrase for added security. This passphrase will be required every time you use the private key.
  5. The ssh-keygen command will then generate the key pair and display a message indicating where the keys were saved.For example:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Prerequisites

Before you begin, make sure you have the following:

  • Ansible installed on your control machine.
  • Access to the target hosts via SSH with password authentication.

Ansible Playbook Configuration

Your Ansible playbook (playbook.yml) contains a set of tasks to configure SSH key authentication on the specified hosts. Let’s break down the playbook:

---
- hosts: new-host 
  become: true
  become_user: root
  vars:
    user: "root"
    password: "password"
  tasks:

    - name: Ensure authorized_keys directory exists
      become_user: root
      file:
        path: "~/.ssh"
        state: directory
        mode: "0700"

    - name: Copy id_rsa.pub content to authorized_keys
      become_user: root
      copy:
        content: "{{ lookup('file', '/home/root2/ansible/id_rsa.pub') }}"
        dest: "~/.ssh/authorized_keys"
        mode: "0600"

    - name: Disable password-based authentication in SSH
      become: yes
      become_user: root
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: '^(.*)PasswordAuthentication(.*)$'
        line: 'PasswordAuthentication no'

    - name: Disable root authentication in SSH
      become: yes
      become_user: root
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: '^(.*)PermitRootLogin(.*)$'
        line: 'PermitRootLogin no'

    - name: Enable pub key authentication in SSH
      become: yes
      become_user: root
      lineinfile:
        path: "/etc/ssh/sshd_config"
        regexp: '^(.*)PubkeyAuthentication(.*)$'
        line: 'PubkeyAuthentication yes'

    - name: Restart SSH
      become: yes
      become_user: root
      service:
        name: ssh
        state: restarted

Explanation of Tasks

  1. Ensure authorized_keys directory exists:
    • Creates the ~/.ssh directory if it doesn’t exist.
    • Sets the correct permissions.
  2. Copy id_rsa.pub content to authorized_keys:
    • Copies the content of id_rsa.pub to the authorized_keys file.
  3. Disable password-based authentication in SSH:
    • Modifies the SSH configuration file to disable password authentication.
  4. Disable root authentication in SSH:
    • Modifies the SSH configuration file to deny root login.
  5. Enable pub key authentication in SSH:
    • Modifies the SSH configuration file to enable public key authentication.
  6. Restart SSH:
    • Restarts the SSH service to apply the changes.

Hosts File

Your hosts file should contain the [new-host] group and a list of IP addresses.

[new-host]
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
192.168.1.7
192.168.1.8
192.168.1.9
# Add more IP addresses as needed

Running the Playbook

To execute the playbook, use the following command:

ansible-playbook -i hosts playbook.yml

Replace hosts with the path to your hosts file.

This Ansible playbook will configure SSH key authentication on all hosts in the specified group, enhancing the security of your servers. Remember to replace placeholder values with your actual information, and always test the playbook in a safe environment before applying it to production servers.

Post Views: 1,450
Published inAutomationKubernetesLinuxSecurityShell