Dec 222013
 

A few days I configured a new server to be an Ansible node. This will allow my Ansible configuration tool to configure and install software.

Installing Ansible and getting it running is not covered by the post. All I show here is how I got a remote server ready to be configured by Ansible.

The server in question was running FreeBSD 9.2 with ZFSRoot.

Preparing the client for configuration by Ansible

Key to how Ansible works is ssh. Ansible also needs root access. Rather than allowing root to ssh in, which is never a good idea, I created a user specific for ansible. Ansible can be configured to use a different login for various hosts, but I decided to use just one user. This user will be the same on all hosts and it will be sudo access. The sudo authentication will be via ssh-agent. I got my start on this path by talking with the highly respected and knowledgable Michael W. Lucas.

Here are the steps I am about to describe:

  1. create ansible user
  2. add authorized_keys
  3. install tools required by Ansible
  4. configure ssh agent auth for sudo

Create the ansible user

It does not matter what user you create. The actual login name is not important. I picked ansible and created it with this command:

pw useradd -n ansible -s /bin/sh -m -d /usr/home/ansible -G wheel

The user is in the wheel group, so it can use sudo later.

Add authorized_keys

Next, I create the .ssh directory:

mkdir /usr/home/ansible/.ssh
chown ansible:ansible /usr/home/ansible/.ssh
chmod 0700 /usr/home/ansible/.ssh

I had already created a set of ssh-keys for this user. The public key was then copied to this file:

/usr/home/ansible/.ssh/authorized_keys
chown ansible:ansible /usr/home/ansible/.ssh/authorized_keys

At this point, the ansible user should be able to login via ssh.

But before you login for the first time!

The safe approach is always to know your server’s ssh fingerprint before connecting. Make sure the output of this command, issued on the server in question:

# ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
256 bf:f1:ad:8d:0f:99:fb:fb:49:f6:5c:e9:70:0b:87:ae /etc/ssh/ssh_host_ecdsa_key.pub (ECDSA)

… matches what you see here when you first connect:

# ssh -A ansible@10.1.1.10
The authenticity of host '10.1.1.10 (10.1.1.10)' can't be established.
ECDSA key fingerprint is bf:f1:ad:8d:0f:99:fb:fb:49:f6:5c:e9:70:0b:87:ae.
Are you sure you want to continue connecting (yes/no)? yes

Install tools required by Ansible

There are a few tools required by Ansible. Let’s get them installed. These commands are suitable for unattended installs (i.e. you will not be prompted):

env ASSUME_ALWAYS_YES=YES pkg bootstrap

pkg install -y sudo
pkg install -y python
pkg install -y security/pam_ssh_agent_auth

Next, rum visudo to allow wheel to run sudo, by making sure this line is uncommented:

%wheel ALL=(ALL) ALL

Configure ssh agent auth for sudo

In this step, I relied heavily upon Mr Lucas’ blog post on sudo auth via ssh-agent.

The only major difference in my setup is this line at the head of /usr/local/etc/sudoers. Run visudo to add this line:

Defaults env_keep += "SSH_CLIENT SSH_CONNECTION SSH_TTY SSH_AUTH_SOCK",timestamp_timeout=0

Your user should now be able to use sudo without typing their password. The authentication process will use ssh-agent instead.

That’s all folks!

Now ansible should allow you to connect and configure!