Here is how I do it. I think this is what you want.
The way I did it is using a SSH keyring. In the ansible.cfg
private_key_file = /etc/ansible/id_rsa_ansible
Next share the public key out to all clients, then on the ansible server I
created a shell script that invokes
#!/bin/env bash
ssh-agent /usr/bin/sshinit.opt
in my opt file i have a simple if clause.
if [ -s "/etc/ansible/id_rsa_ansible" ]; then
/usr/bin/ssh-add /etc/ansible/id_rsa_ansible
echo "SSH KEY added and initialized"
cd /etc/ansible && $SHELL
else
echo id_rsa_ansible was not found, zero size.
fi
so on my ansible control node ( server ) I run sshinit
it prompts me for the private key password I created now I can login or run
any ansible command or playbook with no pasword prompts once your public
key is in each clients .ssh/authorized_keys file.
If I want to schedule a cronjob that runs a playbook on a bunch of clients,
you have to export the environment variable SSH_AUTH_SOCK in your cronjob
playbook script.
env |grep -i ssh
SSH_CONNECTION=10.50.10.22 51630 10.50.3.71 22
SSH_AUTH_SOCK=/tmp/ssh-FwQS5lko0os0/agent.9366
SSH_AGENT_PID=9367
SSH_CLIENT=10.50.10.22 51630 22
SSH_TTY=/dev/pts/0
On Friday, December 15, 2023 at 3:44:34 AM UTC-5 Stuart Lowe wrote:
> Use an SSH key then no password is needed.
>
> Or create a separate vars file P_vars or something
> and have p_ansible_ssh_pass=yourpassword
> encrypt that file with ansible vault
>
> then reference that in your all:vars
>
> ansible_ssh_pass={{ p_ansible_ssh_pass }}
>
> you can then see the file and non secure vars without having to un-encrypt
> the vault but can see that a password stored in vault is used and what it’s
> name is.
>
> you then have the problem the ansible vault password is needed every time
> you run your playbook / add hoc commands but you can include a reference to
> that in your .ansible.cfg and have it reference somewhere on your machine
> that isn’t included in your source control and protected to only be ready
> by your user.
>
>
>
> *From:* [email protected] <[email protected]> *On
> Behalf Of *Todd Lewis
> *Sent:* Thursday, December 14, 2023 11:32 PM
> *To:* Ansible Project <[email protected]>
> *Subject:* [ansible-project] Re: how to encrypt ssh_pass password without
> asking any more password
>
>
>
> *Caution:* This email originated from outside of the organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe
>
>
>
> According to the conversation at
> https://forum.ansible.com/t/ansible-inventory-as-json-and-inline-vaulted-data-does-not-work-works-with-yaml-inventory/2909
>
> true .yaml inventories permit vaulted values, so that should work for your
> requirements.
>
> You'll need to convert your inventory from .ini format to .yml, and vault
> your password with "ansible-vault encrypt_string…",
>
>
>
> On Thursday, December 14, 2023 at 2:41:41 AM UTC-5 Sameer Modak wrote:
>
> Hello Team,
>
>
>
> how to encrypt ssh_pass password without asking any more password. I dont
> want to type password everytime i run the ad hoc command like
>
> ansible -i hosts.yaml -m shell -a "ulimit -a". I dont want to put the
> password everytime i just want to hide or obscure or salt the below
> password
>
>
>
> hosts.yaml has below all:vars
>
>
>
> [all:vars]
>
> ansible_ssh_common_args='-o StrictHostKeyChecking=no'
>
> ansible_connection=ssh
>
> ansible_port=22
>
> ansible_user=sam
>
> ansible_ssh_pass=abc@123
>
>
>
>
>
> Now i want to hide ansible_ssh_pass variable or encrypt/salt this value
> thats it .
>
>
>
> how do i do that. I m ok even if i store that in plaintext and reference
> here .
>
> im fine evenits base64 just should not be in plain in hosts.yaml.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/b4abdd48-0506-492c-9930-d7c2d2b86402n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/b4abdd48-0506-492c-9930-d7c2d2b86402n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> ---------------
>
> *Stuart Lowe* He/Him
> Senior Cloud Support Engineer
> *Zen Internet*
> Team: 01706 902009
> www.zen.co.uk
>
> Proud to be a certified B Corporation
>
> This message is private and confidential. If you have received this
> message in error, please notify us and remove it from your system.
>
> Zen Internet Limited may monitor email traffic data to manage billing, to
> handle customer enquiries, and for the prevention and detection of fraud.
> We may also monitor the content of emails sent to and/or from Zen Internet
> Limited for the purposes of security, staff training and to monitor the
> quality of service.
> Zen Internet Limited is registered in England and Wales, Sandbrook Park,
> Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495
> 01
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/94c32fde-7589-4a66-a28c-c8fd310db17en%40googlegroups.com.
