If I understand you correctly, you want to run the command as root so
that the file can be accessed on the local machine. Then you want to
use the credentials for an unprivileged user to login to the remote
machine. On the remote machine, you want to use sudo to switch to
either root or the user whose key you are saving.
All correct?
If so, you want something like this:
# ansible rhel6 -m authorized_key -a "user=testuser1
key=\"{{lookup('file', '/root/authorized_keys') }}\" manage_dir=yes
state=present" -u badger -k --sudo -K -U testuser1
SSH password:
sudo password [defaults to SSH password]:
rhel6 | success >> {
"changed": true,
[...]
}
Note that we're involving three accounts here:
1) Root on the local machine. You're somehow already authenticated to
root here.
2) The account that you are using to log into the remote machine. In
my example, this is badger, in yours it's urew. The username is
specified with "-u" In my example I used an SSH password and so I
used "-k". If you want to use an SSH key, you will need to have one
of the ssh private keys belonging to root in /root/.ssh/ on the local
machine and the public key matching that key in the remote machine's
/home/urew/.ssh/authorized_keys file.
2.5) The remote account that's allowed to use sudo. This is the same
account as the one that's allowed to login. So it's badger in my
example and urew in yours. I specify "-K" and --sudo so that ansible
knows that I want to use sudo and that I need to enter a sudo password
to use it.
3) The remote user that is writing the file (the one that we're
sudo'ing to). In my example I used '-U testuser1' to sudo to the
account whose key I was writing. You could also omit the '-U
testuser1' if your admins are allowed to sudo to root on the remote
machine once they have logged in via an unprivileged user.
Hope that long explanation is helpful in understanding the concepts as
well as the solution to your problem!
-Toshio
On Tue, Sep 30, 2014 at 2:16 PM, Eric Wedaa <[email protected]> wrote:
> I have a similar issue that we just ran into.
>
> We can't have root ssh to our clients.
>
> We need to copy file from our master to our clients that is mode u+r / 0400
> and this means our admins can't read the file while they are "themselves".
>
> If we run the command as a non-priveleged user, then they can't read the
> file.
>
> [urew@cfg ansible]$ ansible 10.10.5.63 -m authorized_key -a "user=urmm
> key=\"{{ lookup('file', '/home/urmm/.ssh/id_rsa.pub') }}\" manage_dir=yes
> state=present" -u urew --sudo
> sudo password:
> 10.10.5.63 | success >> {
> "changed": false,
> "key": "",
> "key_options": null,
> "keyfile": "/home/urmm/.ssh/authorized_keys",
> "manage_dir": true,
> "path": null,
> "state": "present",
> "unique": false,
> "user": "urmm"
> }
>
> [urew@cfg ansible]$
>
>
> If we run the command as root, then we can't authenticate to the clients.
>
> [root@cfg ansible]# ansible 10.10.5.63 -m authorized_key -a "user=urmm
> key=\"{{ lookup('file', '/home/urmm/.ssh/id_rsa.pub') }}\" manage_dir=yes
> state=present" -u urew
> sudo password:
> 10.10.5.63 | FAILED => FAILED: Authentication failed.
>
>
> What am I missing please? I've looked and I've looked but (obviously?) I'm
> looking for the wrong thing.
>
>>>>>>>>>Ericw
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/7a909c8f-8c1f-427b-a988-b88b6485f3b3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAG9juErqpBXAtVbBjD-A4EDkcpS9XxjZ%3DPPsbXVX%2B4xZjQZyag%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
