Amit singh deora's Blog

Password less authentication in Ansible

Amit singh deora's photo
Amit singh deora
·

6 min read

Table of contents

Passwordless Authentication in Ansible

Passwordless authentication in Ansible simplifies secure access by eliminating the need for passwords during automation tasks. This method typically uses SSH keys as pem file or password.

Developers can provide instructions through YAML or ADHOC (CLI) by giving commands or instructions.

Problems we face: When the control node (Ansible) tries to execute instructions on the managed node (VM), the operation gets blocked and asks for authentication every time.

Authentication can be provided using a password or SSH keys (pem files).

What is blocked automation?

Every time Ansible tries to connect to a virtual machine (managed nodes), you can't provide a password or SSH key each time. This interrupts our automation process.So, what to do ?

Passwordless Authentication : Pre-requisite comes in

We set up passwordless authentication between the control node (Ansible) and the managed nodes (other VMs where Ansible will execute operations).

Passwordless authentication: Whenever a managed node (VM) receives a request from VM A (Ansible), it won't ask for a password. We set up the managed nodes to recognize that VM A (Ansible) is safe and trustworthy. This is known as passwordless authentication.

This is possible by setting up a password or SSH keys. We need to authenticate once on all the machines connected to Ansible (the control node), so it won't ask for authentication again. This way, our automation won't be blocked.

The control node could be Ansible, a human, an SSH agent, or Python. It depends on the infrastructure we are using for automation.

Using EC2 for Managed Nodes: The only way to authenticate here is with a PEM file or SSH key. By default, EC2 also blocks operations from other machines.

We will use the ssh_copy_id command. This command will be used with the help of a PEM file (SSH) or a password.

We will do a practical exercise to understand this better.

We will create 2 managed nodes on AWS EC2:

  1. Managed node1-ubuntu set up with an SSH key

  2. Managed node2-a2l(aws linux) set up with a password

We will explore how both methods work.

For control node we will use our EC2 ubuntu machine

Step1: Launch ec2 instance - master-ansible

Lets setup master node-ansible

Commands to install ansible

  1. sudo apt-add-repository ppa:ansible/ansible: Ansible has a repository, and Python is a prerequisite for installing Ansible.

  2. sudo apt update: Now Ansible is ready to be installed.

  3. sudo apt-install ansible - this will install ansible to our machine master node ubuntu.

Step 2: The master node for Ansible should have information about its managed nodes, known as the host file.

What is hostfile?

  • The hostfile contains all the managed nodes.

  • It lists the IP addresses or hostnames of these nodes.

  • The hostfile helps Ansible know which machines to manage.

  • You can group nodes in the hostfile for easier management.

  • It allows specifying different variables for each group or node.

  • The hostfile is essential for organizing and automating tasks.

There are two types of hosts:

  • Ungrouped hosts: These are individual nodes listed in the hostfile without being part of any group. They are managed separately and do not share any common configurations or variables with other nodes.

  • Grouped hosts: These are nodes organized into groups within the hostfile. Grouping allows you to manage multiple nodes together, applying the same configurations or variables to all nodes in the group. This makes it easier to automate tasks across similar nodes.

Note: Every linux config files are stored in /etc. Ansible config files are present in /etc/ansible

Step 3: We need to configure the host file on the master Ansible machine

  1. Go to your /etc/ansible

Here you will get hosts file.

  1. Edit your hosts file with help of vim editor: We are doing some manual configurations.

     vim /etc/ansible/hosts

We can see the grouped hosts example above in hosts file

  1. Add [servers] group in your host file with IP

    We specified our servers group with public ipv4 of our manage node machine for asnsible

  2. Setup [all:vars]: Setting up variables for all the servers which are connected as grouped

     [servers]
 server1 ansible_host=54.175.173.148 ansible_user=ubuntu   # IP address and username for Ubuntu machine
 server2 ansible_host=50.19.179.35 ansible_user=ec2-user   # IP address and username for A2l machine

 [all:vars]
 ansible_python_interpreter=/usr/bin/python3
 ansible_ssh_private_key_file=/home/ubuntu/keys/ansible-amit.pem

    To check if your Ansible host file is working correctly, use the following command:

     ansible-inventory --list

  3. To check if we can connect the server with the two managed nodes, use the following command:

     ansible servers -m ping

    1. We are getting an ERROR:

      1. Because the host file permissions are set to root

        ls -ltr /etc/ansible/hosts
  1. Ensure the pem file permissions are set to read-only for the Ubuntu user:

        $ ls -ltr /home/ubuntu/keys/ansible-amit.pem
  1. Our pem file permissions are open; we need to make them private.
        chmod 400 ansible-amit.pem
  1. We have changed the permissions. Now, try to access our Amazon Linux (managed node 2).
         ssh -i ubuntu@ec2-3-87-235-25.compute-1.amazonaws.com

  1. As you can see, we are successfully connected to AWS Linux from our Ansible master.

  1. Step7: Now, we are ready move further:

     ansible servers -m ping

    if you cant connect, try accessing each server 1 and server 2 with ssh -i, then use ping command it will work.

  2. Now we are successfully access the servers 1 2

Step4: Using Ad-hoc commands to use servers remotely

  1. Install nginx on server1

     ansible server1 -a "sudo apt-get update"
 ansible server2 -a "sudo apt-get install nginx -y"

  2. Check: copy ipv4 of instace1 (ansible manage node 1”
    Go to browser and paste public ip→ to url

    Successfully used adhoc command to install ansible on manage node 1.

  3. Check2: We Install httpd on AWS Linus (AL2)

    commands: ~$ ansible server2 -a "sudo service httpd status"
    $ ansible server2 -a "sudo service httpd start"

    Success: We used centOs commands which works for amazon linux

Till now we have seen successful authentication with SSH and seen some example.

Using Password we will setup ansible manage node

    • Go to the file /etc/ssh/sshd_config.d/60-cloudimg-settings.conf

      • Update PasswordAuthentication yes

      • Restart SSH -> sudo systemctl restart ss

  1. Create a 3rd ec2 instance for manage node

  2. Login Ec2 3rd instance with ssh and approve password auth → yes

      ssh -i /home/ubuntu/keys/ansible-amit.pem ubuntu@54.175.178.50

    Logged in from master ansible to manage ansible 3-ubuntu

     sudo vim /etc/ssh/sshd_config.d/60-cloudimg-settings.conf

    Setup to yes

  3. Restart ssh

     sudo systemctl restart ssh

  4. Now you can directly access ubuntu machine 3 manage node without ssh .pem

     ssh ubuntu@54.175.178.50

  5. add your server3 in /etc/ansible/hosts

    Check with ping ansible server3 -m ping: Success

Alternate way to add server to master is with: inventory.imi file"

vim inventory.imi // you can create in home dir

ubuntu@<ipv4>
ubuntu@<ipv4>
(save)

ansible -i inventory.ini -m ping all

Alternate way end here

passwordless authentication ansible