Comments on Setup New User and SSH Key Auth. using Ansible on Ubuntu 18.04

In the real world, where we have constant attackers, best to avoid simple accounts.  Always use a random account for ansible management on every host and let ansible deal with it. Adding a 5+ numbers to the end of the username is usually sufficient.

 playbook is not working for me it is giving error

ERROR! Syntax Error while loading YAML.

  expected <block end>, but found '<block mapping start>'

The error appears to have been in '/home/provision/ansible01/deploy-ssh.yml': line 5, column 3, but may

be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

     - provision_password: '6$FmwtHyEr$kvOwf4JhHJgvFvxbfFUJBwGtKmQOvbWvQldWc74t4QdKQdbv.U4ymseGWL5oaW5LlKNmOhwQHDiMufyqMWm6V1'

  gather_facts: no

  ^ here

Seems as if you did not keep the exact indention when writing the file. In .yml files, the white space and number of white spaces in front of the lines matters.

thanks for given information .

but i have to copy one file from one server to another server without asking password and we will use root access.

it means i have to copy id_rsa.pub key on another servers in authorize_keys file .

how can i do that.

Here's the valid YAML as a paste on bastebin.

https://pastebin.com/raw/ntaeudav

HTH

Actually, the problem is that if you look carefully at the ansible.cfg above, it looks like the box below.  Notice there is one space space before the word 'inventory'?  Remove the space and save.  Finished.

I get this error:

cannot lock /etc/passwd; try again later.\n"

Either you did not run the command as root user or you have the passwd file opened in another program at the same time.

Also on the remote machines the user provision is not added to /etc/sudoers its added to /etc/sudoers.d/provision which does not work when using sudo with "provision":

$ sudo su - provision 

$ sudo apt-get install

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

[sudo] password for provision: 

Sorry, try again.

[sudo] password for provision: 

Sorry, try again.

[sudo] password for provision: 

sudo: 3 incorrect password attempts

Let me know Thank you.

No I didnt I did it exactly as your instructions, and that  is the control machine where it failed, this is the command:

provision@debian:~/ansible01$ ansible-playbook deploy-ssh.yml --ask-pass

SSH password: 

PLAY [all] *********************************************************************

TASK [Add a new user named provision] ******************************************

fatal: [debian]: FAILED! => {"changed": false, "failed": true, "msg": "usermod: Permission denied.\nusermod: cannot lock /etc/passwd; try again later.\n", "name": "provision", "rc": 1}

Thank you.

Also as a suggestion add to the requierements list to install "sshpass"  package on the control machine other ways the command will fail with: "password option requires package "sshpass" to be installed.

It just need to be intalled on the control machine.

Thank you.

To execute my playbook as root user , control machine public key has to be added in authorized_keys file of /root/.ssh/authorized_keys ??

This article should never have someone edit the sudoers file manually.  especially in a how-to.  Mistakes can be made that would break sudo completely and require intervention at a console level to fix, or if you're in a cloud instance with no console to possibly have to re-deploy a new server.

how to solve this problem?

TASK [Add a new user named provision] *****************************************************************************************************************************************************************************

fatal: [ans.test1]: FAILED! => {"changed": false, "msg": "useradd: Permission denied.\nuseradd: cannot lock /etc/passwd; try again later.\n", "name": "provision", "rc": 1}

fatal: [ans.test2]: FAILED! => {"changed": false, "msg": "useradd: Permission denied.\nuseradd: cannot lock /etc/passwd; try again later.\n", "name": "provision", "rc": 1}

HI,

when i run this command "echo  -e 'provision\tALL=(ALL)\tNOPASSWD:\tALL' > /etc/sudoers.d/provision"

I get this error  : bash: /etc/sudoers.d/provision: Permission non accordée

Beautiful and well written, thank you for sharing. One thing I would say, I did see some errors when I ran the "ansible-playbook deploy-ssl.yml", this is what I came up with the resolve the issue (Identation errors, but it work beautifully)

---

  - hosts: all

    vars:

      - provision_password: '$6$oeSm0qmQt3EzEBUX$XUghv88HRGWNpYTNY6cWbbGGD2a8LPlyDFLoT6Rl1AkLM14R1p195kkjXwft/wwzYqw3L//Kr0XUPiUMpz9ef1'

    gather_facts: no

    remote_user: root

    tasks:

    - name: Add a new user named provision

      user:

            name=provision

            password={{ provision_password }}

    - name: Add provision user to the sudoers

      copy:

          dest: "/etc/sudoers.d/provision"

          content: "provision ALL=(ALL) NOPASSWD: ALL"

    - name: Deploy SSH Key

      authorized_key: user=provision

                      key="{{ lookup('file', '/home/provision/.ssh/id_rsa.pub') }}"

                      state=present

    - name: Disable Password Authentication

      lineinfile:

            dest=/etc/ssh/sshd_config

            dest=/etc/ssh/sshd_config

            regexp='^PasswordAuthentication'

            line="PasswordAuthentication no"

            state=present

            backup=yes

      notify:

        - restart ssh

    handlers:

    - name: restart ssh

      service:

          name=ssh

          state=restarted

On thing I notocied, I added the items that were supposed to go into ansible.cfg and placed it into inventory.ini

The script still ran with no issues (so I have not created ansible.cfg, this was an oversight on my part but it still worked). 

---

  - hosts: all

    vars:

      - provision_password: '$6$oeSm0qmQt3EzEBUX$XUghv88HRGWNpYTNY6cWbbGGD2a8LPlyDFLoT6Rl1AkLM14R1p195kkjXwft/wwzYqw3L//Kr0XUPiUMpz9ef1'

    gather_facts: no

    remote_user: root

    tasks:

    - name: Add a new user named provision

      user:

            name=provision

            password={{ provision_password }}

    - name: Add provision user to the sudoers

      copy:

          dest: "/etc/sudoers.d/provision"

          content: "provision ALL=(ALL) NOPASSWD: ALL"

    - name: Deploy SSH Key

      authorized_key: user=provision

                      key="{{ lookup('file', '/home/provision/.ssh/id_rsa.pub') }}"

                      state=present

    - name: Disable Password Authentication

      lineinfile:

            dest=/etc/ssh/sshd_config

            dest=/etc/ssh/sshd_config

            regexp='^PasswordAuthentication'

            line="PasswordAuthentication no"

            state=present

            backup=yes

      notify:

        - restart ssh

    handlers:

    - name: restart ssh

      service:

          name=ssh

          state=restarted