Ansible: Forward ssh agent and sudo



  • There is a command server with ansible name server-ansible and a test-web-server-01 server

    Apache user needs to be stashed in the playbook/roley and a remote repository from the test-git-01 server is slope. SELinux on both vehicles (kstats, Centos7) is switched on.

    Global file known_hosts (sighs)/etc/ssh/ssh_known_hosts) by assistance http://docs.ansible.com/ansible/known_hosts_module.html The key of the guitar has been established in advance:

    - name: git storage pubkey
      known_hosts:
        path='/etc/ssh/ssh_known_hosts'
        name='test-git-01'
        key="{{ lookup('file', 'files/ssh_keys/pubkeys/test-git-01.pub') }}"
    

    (Whis key is hand-written ssh-keyscan test-git-01>test-git-01.pub)

    However, in an attempt to carry out teams git clone (sighs)git pull (e.g.) There's a mistake.

    - name: clone repository
      git:
       repo: git@test-git-01:testgroup/testrepo.git
       dest: "/www/testsite.ru/htdocs/"
      become: true
      become_user: apache
    

    That makes sense: the apache user doesn't have a ssh key and it's impossible to connect to the server.

    The solution does not consider the possibility of creating apache with its own key through sudo -u apache ssh-keygen -t rsa And writing him on a guit serve.

    I'd like to make the following: if ansible user is switched on, the ssh- shall be tested by the apache user. Since this key can be worked with a git-server, it's safer if the opportunity to work with the apache user is not constant, but only for the time of the violators ansible.

    How do we correctly build Forward ssh-keys in ansible?

    P.S. Update. The following is my own version, which I once came to, and then looked in English so. This option could be published immediately in the question-response mode, but I am interested in reading about other possible solutions to the task (m.b. ACL?) perhaps a better practice would be proposed. That's why I'm not going to put a box.



  • There are two questions in English stackoverflow that give practically the answer.

    ♪ https://serverfault.com/questions/107187/ssh-agent-forwarding-and-sudo-to-another-user The forwarding design for the command line is described (follow attention: the home user ' s construction is different from that of other users)

    https://stackoverflow.com/questions/32091956/ansible-and-forwardagent-for-sudo-user is described as setting ansible and a few useful references are given: https://github.com/ansible/ansible/issues/7235#issuecomment-45842303 and the reference.

    The final decision is as follows:

    Add ansible.cfg rows:

    [defaults]
    sudo_flags=-HE
    

    Give apache access to the abandoned key:

    - name: grant access to apache
          file: group=apache mode=g+rwx path={{item}}
          with_items:
          - "{{ ansible_env.SSH_AUTH_SOCK|dirname }}"
          - "{{ ansible_env.SSH_AUTH_SOCK }}"
    

    In principle, that's all. Minor subtleness has to do with why I can lower become: false - because I've got the original SSH access blocked on all my cars, so I can't connect them.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2