I can’t figure out why does an SSH public key file generated by ssh-keygen have a user and host at the end of it.
Example: id_rsa.pub
ssh-rsa ... rest of file ... /CA9gyE8HRhNMG6ZDwyhPBbDfX root@mydomain
Notice the root@mydomain at the end of the file.
If I can use the public key anywhere with any user to authenticate using my private key, what significance does the root@mydomain have on the authentication process?
Or is it just a place holder to figure our who was it issued by?
I would like to use ansible to manage a group of existing servers. I have created an ansible_hosts file, and tested successfully (with the -K option) with commands that only target a single host
ansible -i ansible_hosts host1 --sudo -K # + commands ...
My problem now is that the user passwords on each host are different, but I can't find a way of handling this in Ansible.
Using -K, I am only prompted for a single sudo password up-front, which then seems to be tried for all subsequent hosts without prompting:
host1 | ...
host2 | FAILED => Incorrect sudo password
host3 | FAILED => Incorrect sudo password
host4 | FAILED => Incorrect sudo password
host5 | FAILED => Incorrect sudo password
Research so far:
a StackOverflow question with one incorrect answer ("use -K") and one response by the author saying "Found out I needed passwordless sudo"
the Ansible docs, which say "Use of passwordless sudo makes things easier to automate, but it’s not required." (emphasis mine)
this security StackExchange question which takes it as read that NOPASSWD is required
article "Scalable and Understandable Provisioning..." which says:
"running sudo may require typing a password, which is a sure way of blocking Ansible forever. A simple fix is to run visudo on the target host, and make sure that the user Ansible will use to login does not have to type a password"
article "Basic Ansible Playbooks", which says
"Ansible could log into the target server as root and avoid the need for sudo, or let the ansible user have sudo without a password, but the thought of doing either makes my spleen threaten to leap up my gullet and block my windpipe, so I don’t"
My thoughts exactly, but then how to extend beyond a single server?
ansible issue #1227, "Ansible should ask for sudo password for all users in a playbook", which was closed a year ago by mpdehaan with the comment "Haven't seen much demand for this, I think most people are sudoing from only one user account or using keys most of the time."
So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security.
On a server, install git
cd /
git init
git add .
git commit -a -m "Yes, this is server"
Then get /.git/ to point to a network drive (SAN, NFS, Samba whatever) or different disk. Use a cron job every hour/day etc. to update the changes. The .git directory would contain a versioned copy of all the server files (excluding the useless/complicated ones like /proc, /dev etc.)
For a non-important development server where I don't want the hassle/cost of setting it up on a proper backup system, and where backups would only be for convenience (I.E. we don't need to backup this server but it would save some time if things went wrong), could this be a valid backup solution or will it just fall over in a big pile of poop?
When I try to exit from my Linux server I get the message:
There are stopped jobs.
: Is there a single command to kill these?
On the Windows platform, what native options to I have to check if a port (3306, for example) on my local machine (as in localhost), is being blocked?