Configure SSH

Ansible is agentless in that it doesn’t rely on an agent being installed in order to effect change on the hosts it controls, rather it uses the OSes builtin remote management services such as SSH and WinRM.

In this article, we’ll walk through the process of generating and setting up SSH keys for authenticating to the Ansible Controller. We’ll also configure a built-in SSH service called the SSH Agent, which lets us login to remote hosts from the Ansible Controller while still using the SSH keys stored on our workstation.

Key Generation

On your workstation (not the Ansible controller), open a terminal and create your SSH keypair.

ssh-keygen -t ecdsa -b 512

You’ll be asked to create a password that will protect the use of your SSH key pair. It’s entirely your choice if you’d like to enter a password when logging onto a device using your SSH key pair. If you’d prefer not to have a password, simply press enter when requested.

You’ll now have two new files located in your ssh directory ~/.ssh/ (or backslashes if you’re on Windows).

~/.ssh/id_ecdsa        # Private Key
~/.ssh/id_ecdsa.pub    # Public Key

id_ecdsa is your private key and must be protected at all times. Store a copy of this key within your password manager incase your workstation fails.

id_ecdsa.pub is your public key. We’ll be installing this key on the Ansible controller and any hosts we’re managing via Ansible. It’s through this public key our authentication request to connect to the host will be validated and verified.

Configure SSH Agent

Depending on whether your working off of Windows or Linux/Mac, enable the SSH Agent.

sudo apt-get install openssh-client

ssh-add ~/.ssh/id_ecdsa

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Start-Service -Name ssh-agent

Set-Service -Name ssh-agent -StartupType Automatic

ssh-add.exe ~\.ssh\id_ecdsa

Key Installation

Install the public key onto the Ansible Controller. Depending on whether your workstation is Windows or Linux-based the process varies slightly.

Linux

For Debian-based systems, the openssh-client package comes with a handy shell script to make installing the public key simple.

ssh-copy-id username@host

Windows

For Windows no handly utility is provided so we’ll have to use a bit of PowerShell.

type $env:USERPROFILE\.ssh\id_ecdsa.pub | ssh username@host "cat >> .ssh\authorized_keys"

Testing

With our SSH key’s generated and public key installed, we can now logon to the Ansible Controller. If all goes well, you’ll be automatically logged in without any password prompts (unless you created one during the SSH key generation process).

ssh username@host

To check that the SSH Agent is functioning, run the following command.

echo $SSH_AUTH_SOCK

You should see output similar to below. If blank, you unfortunately have a configuration error.

/tmp/ssh-XXXXkVwIiN/agent.895

SSH Forwarding

As we want to use our private key to logon to the various hosts managed by Ansible, we need to tell SSH to forward our private key to the remote hosts when authenticating. This can be easily done by updating the sshd_config.

On the Ansible Controller, open /etc/ssh/sshd_config using vim or an equivilent text editor.

sudo vim /etc/ssh/sshd_config

Update AllowAgentForwarding from no to yes.

84
85
86
87
88
89
90
91
92

...
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
...

Save the file and restart the SSH service.

sudo systemctl restart ssh

Success! We’re now able to log onto the Ansible Controller via our SSH keys stored on your workstation. We’re also all setup to have Ansible logon to our remote hosts using our SSH keys.

Next, we’ll configure our remote hosts.