04.CREATE ADMIN ACCESS

CONTROLLER NODE

//generate ssh keys and exchange with managed nodes
root@oco:~$ su - ansible-admin
root@oco:~$ ssh-keygen -t rsa -b 4096
 ...
 * accept defaults by pressing <enter>
 
root@oco:~$ ls /home/ansible-admin/.ssh
 id_rsa.pub id_rsa

//exchange ansible admin user public key with managed nodes
root@controllerNode:~$ cat id_rsa.pub
 ssh-rsa AAAAB3NzaC1...

 * copy the key for pasting into the managed nodes

MANAGED NODES

LINUX

root@managedNode:~$ sudo su ansible-admin
root@managedNode:~$ cd ~
root@managedNode:~$ mkdir -p /home/ansible-admin/.ssh
root@managedNode:~$ nano authorized_keys
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD1cvpFRREni1...
 ...
 
 * paste ansible admin public key into the managed nodes' authorized_keys file
 
root@managedNode:~$ sudo systemctl enable --now ssh
 ...
 
//verify ---- troubleshooting fix
root@managedNode:~$ grep -Ei 'PubkeyAuthentication|PasswordAuthentication|AuthorizedKeysFile' /etc/ssh/sshd_config
 #PubkeyAuthentication yes
 #AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
 #PasswordAuthentication yes
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication, then enable this but set PasswordAuthentication

root@managedNode:~$ sudo nano /etc/ssh/sshd_config

 * uncomment or add the following lines
    - PubkeyAuthentication yes
      AuthorizedKeysFile .ssh/authorized_keys
      PasswordAuthentication yes   # (optional, only if password fallback is required)
 * for key-based ONLY access (hardened security) set the following
    - PasswordAuthentication no
    
root@managedNode:~$ sudo systemctl restart ssh
 ...

//verify ---- troubleshooting fix

WINDOWS

//switch to ansible-admin user
Windows Menu > ansible-admin

//create ssh directory
PS C:\managedNode1> $sshDir = "C:\ProgramData\ssh\administrators_authorized_keys"
 
 * this is the correct "administrator" directory to add the public key as ansible-admin is part of the administrators group
 * the "C:\Users\ansible-admin\.ssh" is for regular users
 * ensure that this is a txt file w/o the .txt extension

PS C:\managedNode1> New-Item -ItemType Directory -Force -Path $sshDir

//paste ansible-admin public key from Linux
PS C:\managedNode1> $pubKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQD1cvpFRREni1..."
PS C:\managedNode1> Set-Content -Path "$sshDir\authorized_keys" -Value $pubKey

 * Replace with the actual public key from the controller node

//fix permission
PS C:\managedNode1> icacls "C:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r
PS C:\managedNode1> icacls "C:\ProgramData\ssh\administrators_authorized_keys" /grant "Administrators:F"

//
PS C:\managedNode1> Set-Service -Name sshd -StartupType 'Automatic'
PS C:\managedNode1> Start-Service sshd

Previous03.CREATE USERNext05.CONFIGURE ANSIBLE PROJECT DIRECTORY

Last updated