As said the authorized_key module is a good approach. I wouldn't use a vault because they're public keys, which are, well, public. And from what you tell you should probably use the 'exclusive' parameter. And finally use '--check' to only get a report on what hosts have their authorized_keys2 file changes. BTW the default file is authorized_keys, so you;d have to configure a custom 'path' parameter as well.
Note that depending on your sshd configuration, people might have left authorized_keys2 intact, and added authorized_key file. So I think you should also take that into account, but this probably requires some more logic. Dick On 6 September 2017 at 14:08, Cev Ing <[email protected]> wrote: > > > Am Mittwoch, 6. September 2017 12:43:21 UTC+2 schrieb Ask 21: >> >> I didn't created a playbook yet because i don't know which way/module will >> be best - is there any option like using a "negotiate" lineinfile operation >> or maybe using shell/fetch and doing a diff with a template authorized_keys2 >> file? > > > I have a vault file containing all ssh keys and then I use the > authorized_key module to manage the keys. > > http://docs.ansible.com/ansible/latest/authorized_key_module.html > > But you can use also the copy module to make sure that the remote file has > the required content. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/dfe3a446-b885-4fe5-946a-e680b8e4c568%40googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. -- Dick Visser GÉANT Want to join us? We're hiring: https://www.geant.org/jobs -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwN0PcBDxN40Eur7qDfiiveukq6VnhZhFpiY2jxHX-9zDQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
