Is there a way to exclusively manage multiple ssh keys with differing per-key options using ansible?



  • Ansible provides a https://docs.ansible.com/ansible/latest/collections/ansible/posix/authorized_key_module.html module which provides a lot of functionality:

    • You can set exclusive: true to delete all other keys.
    • You can set key_options: ....
    • You can list multiple keys in key by separating them with new lines.

    Is there a way to combine all of the above?

    The naive approach results in the key_options to be applied to all keys rather than having key options per key.

    Is this a case of generating authorized_keys using ansible.builtin.file given the exclusiveness?



  • One approach would be to use multiple authorized keys files, authorized_keys2 https://serverfault.com/questions/116177/whats-the-difference-between-authorized-keys-and-authorized-keys2 but there's no reason you can't use it and you can specify multiple authorized keys files in sshd config

    AuthorizedKeysFile
    
     Specifies the file that contains the public keys used for
     user authentication.  The format is described in the
     AUTHORIZED_KEYS FILE FORMAT section of sshd(8).  Arguments
     to AuthorizedKeysFile accept the tokens described in the
     TOKENS section.  After expansion, AuthorizedKeysFile is
     taken to be an absolute path or one relative to the user's
     home directory.  Multiple files may be listed, separated by
     whitespace.  Alternately this option may be set to none to
     skip checking for user keys in files.  The default is
     ".ssh/authorized_keys .ssh/authorized_keys2".
    

    this might not be the optimal solution to your problem, but I think you're going to have to hack on ansible yourself to get it to do what you want.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2