Ansible Controllers / Workers

Basic Requirements

The requirements for running / creating an ansible controller for a set of hosts is as follows -

  1. controller
    • has ansible
    • create ssh key as the ansible user
      • ssh-copy-id <worker>
      • should be able to ssh with no password - ssh <workstation> as ansible user
        • If the above does not work, create /home/USER/.ssh/config and add IdentityFile /path/to/Private.key, this will pass the key automatically when connecting as USER.
        • Ensure the host you are connecting to has the connecting key within the ~/.ssh/authorized_keys file.
        • restart sshd.service - sudo systemctl restart sshd.service
  2. worker
    • has ansible
    • has a known password, but can sudo without one.
      • <user> ALL=(ALL:ALL) NOPASSWD:ALL within sudoers

Creating Ansible Controller

This section will configure a new user to be our Ansible controller -

  1. controller
    • has ansible
    • create ssh key as the ansible user
      • ssh-copy-id <worker>
      • should be able to ssh with no password - ssh <workstation> as ansible user
        • If the above does not work, create /home/USER/.ssh/config and add IdentityFile /path/to/Private.key, this will pass the key automatically when connecting as USER.
        • Ensure the host you are connecting to has the connecting key within the ~/.ssh/authorized_keys file.
        • restart sshd.service - sudo systemctl restart sshd.service

Creating Controller Ansible User

On the host we plan to use to control / run our plays, create a user that will act as our Ansible controller.

    # Create the user that ansible will authenticate with when running plays
    admin@wordpress:~$ sudo adduser username
    [sudo] password for admin: 
    ssh-rsa AAAeAB3NXyXeAAADAQABAAABXwxAQDXndHlHw2DxXMk1thdTsSJWoRxXXGl5jXXMGaRta1sdprzg/sXJAdding user `username' ...
    Port 22
    Adding new group `username' (1000) ...
    Adding new user `username' (1000) with group `username' ...
    Creating home directory `/home/username' ...
    Copying files from `/etc/skel' ...
    New password: 
    Retype new password: 
    passwd: password updated successfully
    Changing the user information for username
    Enter the new value, or press ENTER for the default
            Full Name []: 
            Room Number []: 
            Work Phone []: 
            Home Phone []: 
            Other []: 
    Is the information correct? [Y/n] y

Controller Sudo Configuration

Now that we created our user, we need to configure sudo, add user ALL=(ALL:ALL) ALL to the following file -

# Add or edit our custom sudoers config
admin@server:~$ sudo visudo -f /etc/sudoers.d/mySudoers

# Add our new user to sudo group
admin@server:~$ sudo vigr 
You have modified /etc/group.
You may need to modify /etc/gshadow for consistency.
Please use the command 'vigr -s' to do so.
admin@server:~$ sudo vigr -s
You have modified /etc/gshadow.
You may need to modify /etc/group for consistency.
Please use the command 'vigr' to do so.

Secure the new user's User / Group ID's -

# Specify a custom user and group ID
admin@server:~$ sudo usermod -u 61182 username
admin@server:~$ 
admin@server:~$ sudo groupmod -g 61181 username

# Change file permissions created when we added the user
# Just updating user files to reflect new IDs. Errors are ok
admin@server:~$ sudo find / -group 1000 -exec chgrp -h username {} \;
find: ‘/proc/18580/task/18580/fd/6’: No such file or directory
find: ‘/proc/18580/task/18580/fdinfo/6’: No such file or directory
find: ‘/proc/18580/fd/5’: No such file or directory
find: ‘/proc/18580/fdinfo/5’: No such file or directory
admin@server:~$ sudo find / -user 1000 -exec chown -h username {} \;
find: ‘/proc/18611/task/18611/fd/6’: No such file or directory
find: ‘/proc/18611/task/18611/fdinfo/6’: No such file or directory
find: ‘/proc/18611/fd/5’: No such file or directory
find: ‘/proc/18611/fdinfo/5’: No such file or directory

That's it! Further customization will take place in defining hosts in the Ansible inventory, creating playbooks, and defining / applying roles. Now just install Ansible with sudo apt install ansible and spin up some workers to run plays on.

Creating Ansible Workers

Below, we configure a user to authenticate with on the remote host we want to admin, known as our Ansible worker -

  1. worker
    • has ansible
    • has a known password, but can sudo without one.
      • <user> ALL=(ALL:ALL) NOPASSWD:ALL within sudoers

To create an Ansible worker, you'll need a user with a known password that can sudo without one. Also, we will need to install our publickey from the controller we created above into this users ~/.ssh/authorized_keys file so Ansible can ssh and sudo on this worker with only a private key.

Creating Worker Ansible User

To speed this up, I used a script I wrote to create a user with a custom userID, and configure sudo.

root@monitor:~# sudo ./adduser.sh ansible
Illegal number of parameters.
Usage: sudo ./adduser.sh <username> <groupid>

Available groupd IDs:
60001......61183 	Unused | 65520...............65533  Unused
65536.....524287 	Unused | 1879048191.....2147483647  Unused

root@host:~# sudo ./adduser.sh ansible 524280

Adding user `ansible' ...
Adding new group `ansible' (524280) ...
Adding new user `ansible' (524280) with group `ansible' ...
Creating home directory `/home/ansible' ...
Copying files from `/etc/skel' ...

Enter 1 if ansible should have sudo privileges. Any other value will continue and make no changes
1

Configuring sudo for ansible...

Enter 1 to set a password for ansible, any other value will exit with no password set
1

Changing password for ansible...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
root@host:~# sudo -iu ansible
ansible@host:~$ sudo visudo -f /etc/sudoers.d/mySudoers

Configure Sudo for Ansible Worker

Now, we need to configure the Sudoers file to allow our user to sudo without the password, even though we did configure a password during user setup.

ansible@host:~$ sudo visudo -f /etc/sudoers.d/mySudoers

Assuming your username is ansible, add the following line to this file. -

ansible ALL=(ALL:ALL) NOPASSWD:ALL

Now the ansible user can sudo with no prompt for password. Now we just need to add our SSH key to the .ssh/authorized_keys file within the new ansible user's home directory.

# Login as the user, and add the publickey ansible will pass for authentication.
admin@server:~$ sudo -iu username
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

username@server:~$ mkdir .ssh
username@server:~$ sudo vim .ssh/authorized_keys

# Verify sshd_config, and restart sshd.service
username@server:~$ sudo vim /etc/ssh/sshd_config 
username@server:~$ sudo systemctl restart sshd.service 

Once you have added your key to the authorized_keys file, determine if you have or plan to have any custom PAM configurations on your host, and if so - add the following module to bypass any future changes.

Adding Listfile Module (PAM)

# Change PAM authentication to allow our user to bypass other modules
admin@server:~$ sudo vim /etc/pam.d/sshd 
# Add our user to the pam_userlist.so configured in the changes made above
admin@server:~$ sudo vim /etc/authusers

In /etc/pam.d/sshd, we can add the following line to allow for a list of users past any other modules configured on the server. Be sure to add this line at the top of our configuration file, so it is handled before any other module.

auth sufficient pam_listfile.so item=user sense=allow file=/etc/authusers

In the /etc/authusers file, we simply list users that can bypass further PAM configurations -

user
otheruser
thirduser

That's it! Now just sudo apt install ansible and ssh to your Ansible controller to test out the configuration.B

Testing Ansible Worker

From this point, the user is fully configured to bypass all security settings only if the ansible controller is attempting to connect, allowing full sudo access. To test this, run the following command and look for similar output -

admin@host-controller:~$ ansible -m ping 159.203.190.63
The authenticity of host '159.203.190.63 (159.203.190.63)' can't be established.
ECDSA key fingerprint is SHA256:jDxFV7KA00wNIdpG40ppvW2RobNXyPeItdi4jL3h78s.
Are you sure you want to continue connecting (yes/no)? yes
worker.domain.com | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

This test says that the host was not changed ("changed": false), and the server accepted our connection ("ping":"pong")