#44 closed Task (Done)

Use Ansible to update ssh keys for feurig and joe.

Reported by: D Delmar Davis Owned by:
Priority: Important Milestone: Make Shit Happen / Own Your Shit.
Component: Infrastructure Keywords: security
Cc: Joe Dumoulin

Description

Make a playbook or document doing it by hand.

Change History (10)

comment:1 Changed 21 months ago by D Delmar Davis

Need this for spare laptop while mine is in the shop.

comment:2 Changed 21 months ago by D Delmar Davis

Owner: D Delmar Davis deleted

Will do this when the new computer.

comment:3 Changed 20 months ago by D Delmar Davis

https://docs.ansible.com/ansible/latest/modules/authorized_key_module.html#authorized-key-module

- name: Set authorized key, removing all the authorized keys already set
  authorized_key:
    user: root
    key: '{{ item }}'
    state: present
    exclusive: True
  with_file:
    - public_keys/doe-jane

comment:4 Changed 19 months ago by D Delmar Davis

From https://v-punk.com/automate-password-changes-with-ansible/

tasks:
  - name: Change xxx password
    user: name=xxx update_password=always password=HASHGOESHERE

comment:5 Changed 19 months ago by D Delmar Davis

comment:6 Changed 18 months ago by D Delmar Davis

Ansible is a major fucking pain in the ass (4 days figuring out which fucking valid regex actually worked).
Have working password propagation at
https://bitbucket.org/suspectdevicesadmin/ansible/src/master/playbooks/set-passwords.yml

To use it.

  • Change your password on kb2018
  • run ansible-playbook /etc/ansible/playbooks/set-passwords.yml (as root)
Last edited 18 months ago by D Delmar Davis (previous) (diff)

comment:7 Changed 18 months ago by D Delmar Davis

Since bs2020 is a failsafe for access to kb2018 this does not currently update its passed.
(will fix this when everyone has discussed it)

comment:8 Changed 18 months ago by D Delmar Davis

Actually I lied. It sets bs2020s as well.

On to propagate the ssh keys....

comment:9 Changed 18 months ago by D Delmar Davis

Added key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdd/Y6GAN71DucDBAftteSpibpKc0QKKl3OWQQ8c3p4yO3akrfw6Ozln+t5YbLDZWfmP477sXp4ykg8pIOMRp4n7G6q9DOhyYYpl73HuXyHo25a8PLoC1Cf08Nxxv+fusIGSpooROxW/1YklclEq2MY3Tyvp2N/QBB+nPbwkvwMp1THiLJKzwPm7TO26RmgzHCVjIHHioY9KHj6AgeNUufN/kLH4vH59+VSMA59sukIxxYoCe8chSmIab3JYWhUklV90+UU5iU74DuV1sdVzCiAbpOZ37FTCJWTJa3LiNpTzitUc2ZBMiCRzlIOLD9zK9HmyqkAn7fAmTQb0mU+Et/ joe@joe-dldev
to kb2018 and removed nextit key.

Please test and I will propagate with script when complete.

comment:10 Changed 18 months ago by D Delmar Davis

Resolution: Done
Status: assignedclosed
  • Keys and passwords are updated on all systems.
  • passwords are updated on susdev20 profile. will need to update keys manually.
  • Will need to write up script usage.
Note: See TracTickets for help on using tickets.