diff --git a/tech_docs/automation/ansible/ansible_getting_started.md b/tech_docs/automation/ansible/ansible_getting_started.md new file mode 100644 index 0000000..e96e5cd --- /dev/null +++ b/tech_docs/automation/ansible/ansible_getting_started.md @@ -0,0 +1,67 @@ +Certainly! Managing SSH keys efficiently is crucial for automating your operations securely. Here’s a detailed guide on how to prepare, distribute, and manage SSH keys for use with Ansible. + +### Preparing SSH Keys + +1. **Generate SSH Keys**: On your management node (the server or computer where you’re running Ansible), you’ll want to create an SSH key pair for the `ansible` user. If this user doesn’t already have an SSH key, you can generate one as follows: + + ```bash + sudo -u ansible ssh-keygen -t rsa -b 4096 -N '' -f /home/ansible/.ssh/id_rsa + ``` + + This command generates a new RSA key pair under the `ansible` user's home directory. The `-N ''` option specifies an empty passphrase for the key, which is typical for automated scripts but should be handled carefully considering security implications. + +### Distributing SSH Keys + +To use SSH keys for Ansible, you need to copy the public key to all the devices you want to manage. Here’s how to automate the distribution: + +2. **Copy SSH Public Key**: You can manually copy the SSH public key to each device, or use a script to automate this process. If you prefer the manual method for a few machines, use `ssh-copy-id`: + + ```bash + sudo -u ansible ssh-copy-id ansible@ + ``` + + If you need to automate this for multiple devices, you can write a simple bash script: + + ```bash + #!/bin/bash + DEVICE_LIST="device1_ip device2_ip device3_ip" # Add all device IPs or hostnames + + for DEVICE in $DEVICE_LIST; do + sudo -u ansible ssh-copy-id -i /home/ansible/.ssh/id_rsa.pub ansible@$DEVICE + done + ``` + + Run this script on your management node. It will handle the key copying process for each device listed. + +### Managing SSH Keys + +3. **SSH Key Management Best Practices**: + - **Rotate Keys Regularly**: Regularly updating SSH keys is a best practice for maintaining secure access. + - **Use Strong Passphrases for Personal Keys**: While automation keys are typically passphrase-less, personal keys should use strong passphrases. + - **Central Management**: Consider using tools like HashiCorp Vault, Ansible Tower, or even a custom solution for managing keys across your infrastructure. + - **Monitor and Audit**: Regularly check and audit where keys are deployed. Use tools that can provide visibility into authentication and access patterns. + +### Troubleshooting Common SSH Issues + +4. **Permissions Are Crucial**: Ensure the `.ssh` directory and its contents on both the client and server have the correct permissions: + - Directories: `700` (drwx------) + - Public keys: `644` (-rw-r--r--) + - Private keys: `600` (-rw-------) + + You can set these permissions with: + ```bash + chmod 700 /home/ansible/.ssh + chmod 644 /home/ansible/.ssh/id_rsa.pub + chmod 600 /home/ansible/.ssh/id_rsa + ``` + +5. **Configure SSH Client**: If you need to automate SSH login checks or troubleshoot connections, consider modifying the SSH client configuration in `/home/ansible/.ssh/config`: + ```bash + Host * + StrictHostKeyChecking no + UserKnownHostsFile /dev/null + ``` + + **Note:** Disabling `StrictHostKeyChecking` and redirecting `UserKnownHostsFile` to `/dev/null` are not recommended for production environments due to security risks. Use these for testing or in a trusted network environment. + +By following these steps, you should have a robust setup for managing SSH keys across your fleet of Debian devices, enabling secure and efficient automation with Ansible. Let me know if you need more details on any of these steps or further help!