Home / server / Questions / 984751
Accepted
Jeroen Jacobs
Asked: 2019-09-19 12:35:44 +0800 CST

How can I make Ansible use the SSH signed client certificate for connections?

  • 772

I have implemented SSH CA client signing on my servers. Sshd is configured on my servers with the following directive:

TrustedUserCAKeys /etc/ssh/trusted-users-ca.pem

I modified my local ssh config file so my cert is sent as well, when I connect to my servers:

Host *.internal.headincloud.be
        User centos
        IdentityFile ~/.ssh/datacenter-hic-deploy
        CertificateFile = ~/.ssh/datacenter-hic-deploy-cert.pub

This seems to work just fine, and I'm able to connect to my server without the need to deploy an authorized_keys file.

However, Ansible is unable to connect my servers:

TASK [Gathering Facts] *********************************************************************************************************************************************************************
fatal: [postgres-01]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"192.168.90.40\". Make sure this host can be reached over ssh", "unreachable": true}

Like I already mentioned, I'm able to connect via ssh just fine.

I suspect Ansible is not sending the certificate file along, and that's why I am unable to connect.

I tried modifying my ansible.cfg as follows:

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -i ~/.ssh/datacenter-hic-deploy-cert.pub

or

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -i /Users/jeroenjacobs/.ssh/datacenter-hic-deploy-cert.pub

Neither of those work.

I cannot a find a way to tell Ansible how to do this. Anyone an idea?

ansible

2 Answers

  1. Best Answer

    fatal: [postgres-01]: UNREACHABLE! => {"changed": false,
    "msg": "SSH Error: data could not be sent to remote host \"192.168.90.40\".
    Make sure this host can be reached over ssh", "unreachable"

    At first glance Ansible seems to connect to a host named 192.168.90.40 but your ssh config is set up for hosts using host names ending in *.internal.headincloud.be , not ip-addresses.

    Check your inventory, possibly you need to ensure that Ansible connects using the correct host name in the ssh connection rather than the ip-address, or you will need to make a second stanza in your ~/.ssh/config matching the ip-addresses you're using.

    • 3

  2. You can make Ansible use an arbitrary private key by setting the ansible_ssh_private_key_file variable. The best place to set this variable depends on which servers the key needs to be used with. If it's every server, then you could do something like this:

    $ cat group_vars/all/sshkey 
ansible_ssh_private_key_file: /Users/jeroenjacobs/.ssh/datacenter-hic-deploy
    • 0