Is there a way to exclusively manage multiple ssh keys with differing per-key options using ansible?
-
Ansible provides a https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html module which provides a lot of functionality:
- You can set
exclusive: trueto delete all other keys. - You can set
key_options: .... - You can list multiple keys in
keyby separating them with new lines.
Is there a way to combine all of the above?
The naive approach results in the
key_optionsto be applied to all keys rather than having key options per key.Is this a case of generating
authorized_keysusingansible.builtin.filegiven the exclusiveness?
- You can set
-
One approach would be to use multiple authorized keys files, authorized_keys2 https://serverfault.com/questions/116177/whats-the-difference-between-authorized-keys-and-authorized-keys2 but there's no reason you can't use it and you can specify multiple authorized keys files in sshd config
AuthorizedKeysFileSpecifies the file that contains the public keys used for user authentication. The format is described in the AUTHORIZED_KEYS FILE FORMAT section of sshd(8). Arguments to AuthorizedKeysFile accept the tokens described in the TOKENS section. After expansion, AuthorizedKeysFile is taken to be an absolute path or one relative to the user's home directory. Multiple files may be listed, separated by whitespace. Alternately this option may be set to none to skip checking for user keys in files. The default is ".ssh/authorized_keys .ssh/authorized_keys2".this might not be the optimal solution to your problem, but I think you're going to have to hack on ansible yourself to get it to do what you want.
