In this blog we will Setup SSH Key and initial user using Ansible Playbook
To create new user on ubuntu system, you need the following things:
- Username/Password
- Public Key of the user
- You will first create a user on one machine. Machine can be your local workstation also
- Generate ssh-key for this
- Put the public key of that user to the remote hosts.
- Add that user to the sudoers.d file
Now we want to disable the Password Authentication on all the remote hosts.This means no user/root user can login to the system by using password. They have to use the SSH keys only.
Steps:
- Login as root . Do sudo -su
- useradd -m -s /bin/bash devops
passwd devops - echo -e ‘devops\tALL=(ALL)\tNOPASSWD:\tALL’ > /etc/sudoers.d/devops
- Encrypt your password
- sudo apt install whois -y
- mkpasswd — method=SHA-512
TYPE THE PASSWORD ‘devops’
Generate a new SSH-key
- Login as a devops user
- ssh-keygen -t rsa
It will generate the public and private key file for the devops user.
Now we have to add this public key to all the remote hosts.
Create a ansible playbook “add-user-ssh.yml”
--- - hosts: all vars: - devops_password: 'abcddefsfdfdfdfdfdfdfdfdfdfd' gather_facts: no remote_user: ubuntu become: true
tasks:
- name: Add a new user named devops user: name: devops shell: /bin/bash password: "{{ devops_password }}"
- name: Add devops user to the sudoers copy: dest: "/etc/sudoers.d/devops" content: "devops ALL=(ALL) NOPASSWD: ALL"
- name: Deploy SSH Key authorized_key: user=devops key="{{ lookup('file', '/home/devops/.ssh/id_rsa.pub') }}" state=present
- name: Disable Password Authentication lineinfile: dest=/etc/ssh/sshd_config regexp='^PasswordAuthentication' line="PasswordAuthentication no" state=present backup=yes
- name: Disable Root Login lineinfile: dest=/etc/ssh/sshd_config regexp='^PermitRootLogin' line="PermitRootLogin no" state=present backup=yes notify: - restart ssh
handlers: - name: restart ssh service: name=sshd state=restarted
Run the playbook
ansible-playbook add-devops-user-ssh.yml -i hosts
Validate Disable Password Authentication
$ ssh servername -o PubkeyAuthentication=no
You will get the “Permission Denied(public key)