In Ansible, is it possible to define the authentication method per playbook?

authentication passwords ansible ansible-playbook ssh-keys

16,642

I have been facing the same problem today. Two ideas may help you here: You can ask for the password using vars_prompt in your playbook instead of --ask-pass Set the password using set_fact:

- name: "set password for the play"

  set_fact: ansible_ssh_pass="{{ my_pass }}"

You could store the password in a file, or prompt for it, as in the example below. In my example, the sshd config thats being created will forbid password logins, but using ansible defaults, you will be surprised that the second playbook will still be executed (!), even though I "forgot" to create an authorized_key. Thats due to the fact, that ansible uses the ControlPersist options of ssh, and simply keeps the connection between single tasks open. You can turn that off in ansible.cfg

Example Playbook:

- name: "MAKE BARE: Run preparatory steps on a newly acquired server"
  hosts: blankee

  tasks:
    - name: "set password for the play"
      set_fact: ansible_ssh_pass="{{ my_pass }}"

    - name: "Create directory {{ pathsts }}/registry/ansible-init"
      file: name="{{ pathsts }}/registry/ansible-init" state=directory owner=root group=www-data mode=770

    - name: "copy sshd config file"
      copy:
        src:    'roles/newhost/files/sshd_config'
        dest:   '/etc/ssh/sshd_config'
        owner:  'root'
        group:  'root'
        mode:   '0644'


    - name: "Check syntax of sshd configuration"
      shell: sshd -t
      register: result
      changed_when: false
      failed_when: "result.rc != 0"

    - name: "Restart SSHD and enable Service to start at boot"
      service: name=sshd state=restarted
      changed_when: false

  vars:
    my_pass2: foobar

  vars_prompt:
    - name: "my_pass"
      prompt: "########## Enter PWD:\n "



- name: "Second run: This should authenticate w/out password:"
  hosts: blankee

  tasks:

    - name: "Create directory {{ pathsts }}/registry/ansible-init"
      file: name="{{ pathsts }}/registry/ansible-init22" state=directory owner=root group=www-data mode=770

16,642

Author by

Informatician

Updated on June 04, 2022

Comments

Informatician almost 2 years
TL;DR: Is it possible to chain two playbooks with one ansible-playbook command where one playbook is password auth and the other playbook is key auth? (see last section for real-world purpose).

Setup:

I have two playbooks, the second of which includes the first.

PlaybookA.yml
```
---
- name: PlaybookA # requires password authentication
  hosts: sub.domain.ext
  remote_user: root
  roles:
    - { role: role1, sudo: yes }
...
```
PlaybookB.yml
```
---
- name: Run PlaybookA
  include: PlaybookA.yml

- name: PlaybookB # requires ssh-key authentication
  hosts: sub.domain.ext
  remote_user: ansible
  roles:
    - { role: role2, sudo: yes }
...
```
Requirements:
1. Execute only one command.
2. Use password auth for PlaybookA.
3. Use ssh-key auth for PlaybookB.
Question 1:

Is it possible within Ansible (versions 1.9.4 or lower) to execute one ansible-playbook command that will successfully run PlaybookB using ssh-key authentication but when PlaybookB includes PlaybookA, run PlaybookA using password authentication?

Question 2:

If this is not possible with Ansible 1.9.4 or lower, is this possible with 2.0.0+?

Notes of worth:
1. Ansible provides --ask-pass (or -k) as a command line switch enabling password authentication.
2. Ansible provides ask_pass as a variable but it seems as though it can only be set within ansible.cfg (I haven't been able to set this as a playbook variable to the desired effect).
3. Attempting to set ask_pass as an instruction within a playbook results in the following: ERROR: ask_pass is not a legal parameter of an Ansible Play. If this parameter was legal, it would provide a way to instruct ansible on a per-playbook level, what authentication method to use.
Purpose / Real World:

I'm attempting to create a configuration management workflow with Ansible that will be simple enough that others at work will be able to learn / adapt to it (and hopefully the use of Ansible in general for CM and orchestration).

For any new machine (VM or physical) that gets built, I intend for us to run two playbooks immediately. PlaybookA (as shown above) has the responsibility of logging in with the correct default user (typically depends upon the infrastructure [aws, vsphere, none, etc]). Once in, its very limited job is to:
1. Create the standardized user for ansible to run as (and install its ssh-key).
2. Remove any non-root users that may exist (artifacts of the vm infrastructure, etc).
3. Disable root access.
4. Disable password authentication (ssh-key only from this point on).
Depending upon the vm infrastructure (or lack thereof), the default user or the default authentication method can be different. Toward the goal of adoption of Ansible, I'm attempting to keep things extremely simple for fellow co-workers, so I'd like to automate as much of this flow-control as possible.

Once PlaybookA has locked down the vm and setup the standardized user, PlaybookB uses that standardized user to perform all other operations necessary to bring our vm's up to the necessary baseline of tools and utilities, etc.

Any tips, hints, suggestions would be greatly appreciated.
EM0 almost 6 years

This works great, but you might want to set ansible_become_pass as well if using sudo.