How can I make Ansible use the SSH signed client certificate for connections?

Jeroen Jacobs asked:

I have implemented SSH CA client signing on my servers. Sshd is configured on my servers with the following directive:

TrustedUserCAKeys /etc/ssh/trusted-users-ca.pem

I modified my local ssh config file so my cert is sent as well, when I connect to my servers:

Host *.internal.headincloud.be
        User centos
        IdentityFile ~/.ssh/datacenter-hic-deploy
        CertificateFile = ~/.ssh/datacenter-hic-deploy-cert.pub

This seems to work just fine, and I’m able to connect to my server without the need to deploy an authorized_keys file.

However, Ansible is unable to connect my servers:

TASK [Gathering Facts] *********************************************************************************************************************************************************************
fatal: [postgres-01]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"192.168.90.40\". Make sure this host can be reached over ssh", "unreachable": true}

Like I already mentioned, I’m able to connect via ssh just fine.

I suspect Ansible is not sending the certificate file along, and that’s why I am unable to connect.

I tried modifying my ansible.cfg as follows:

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -i ~/.ssh/datacenter-hic-deploy-cert.pub

or

ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -i /Users/jeroenjacobs/.ssh/datacenter-hic-deploy-cert.pub

Neither of those work.

I cannot a find a way to tell Ansible how to do this. Anyone an idea?

My answer:


You can make Ansible use an arbitrary private key by setting the ansible_ssh_private_key_file variable. The best place to set this variable depends on which servers the key needs to be used with. If it’s every server, then you could do something like this:

$ cat group_vars/all/sshkey 
ansible_ssh_private_key_file: /Users/jeroenjacobs/.ssh/datacenter-hic-deploy

One other thing you should probably fix is the name mismatch between the private key and public key files. Many things that use ssh expect these files to have the same name, with only the public key having .pub appended. But your filenames differ. Consider renaming one or both of these files so that they match in this way.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.