Вопросы Теги

ansible ssh connections with two factor auth

I'm setting ansible to manage a whole farm of servers. My approach is the following:

Allow a user to connect to all servers protecting his connections with a heavy RSA key, passphrase protected, and user password.

In order to automate as much as possible the process I would like to pass the RSA passphrase and the user password in a vault file or an encrypted string.

When I'm testing (passing the passwords manually) with just a ping to a test server if I set up in client both authentication methods (publickey + user password), I'm prompted for RSA passphrase but no password, and obviously the execution of the playbook fails.

If i just set up user password as authentication method the playbook is executed normally.

If i just set up RSA key with it's passphrase authentication the job does not end, this the output I've had in my screen for at least 30 minutes (time for research, coffee, ..)

PLAY [all] ******************************************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************************************
Enter passphrase for key '/home/users/<user_name>/.ssh/id_rsa': 
ok: [<test_server_ip_address>]

TASK [include vars] *********************************************************************************************************************************************************
ok: [<test_server_ip_address>]

TASK [test connection] ******************************************************************************************************************************************************

And anything else.

The playbook that I'm trying to execute is this one 

---
- hosts: all
  tasks:
    - name: test connection
      ping:

And the command to execute the playbok the next one:

ansible-playbook -i ansible_hosts/test_hosts.yml playbooks/ping.yml

The content of test_host.yml :

all:
  hosts:
    <test_server_ip_address>

My question is:

Is it possible to set up double factor authentication for ansible? An if yes, can anyone redirect me in the right direction please?

1
задан 20 December 2017 в 12:47
1 ответ

Я сомневаюсь, что вы можете использовать парольную фразу ssh-ключа из хранилища Ansible, но общие 2- Факторный рабочий процесс выглядит следующим образом:

На стороне сервера включите двухфакторную аутентификацию с помощью 

AuthenticationMethods "publickey,password"

в sshd_config .

На стороне клиента (Ansible):

  1. Настройка ssh-agent , добавьте защищенный паролем ключ к агенту, когда требуется подключение.
  2. Определите ansible_password в хранилище Ansible для каждого хоста
  3. Запустите playbook
2
ответ дан 3 December 2019 в 20:17

Теги

Похожие вопросы