Allow providing multiple ssh keys

ansible / ansible-runner

A tool and python library that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. The goal is to provide a stable and consistent interface abstraction to Ansible.

Other

964 stars 354 forks source link

Allow providing multiple ssh keys #51

Open matburt opened 6 years ago

matburt commented 6 years ago

Currently runner assumes a single private key be provided through the module interface and via env/ssh_key. We should support multiples since behind the scenes we are using ssh-agent.

cdvv7788 commented 6 years ago

What should be the interface if I want to add several keys? Do you have something in mind?

matburt commented 6 years ago

I have two thoughts on this:

a) Have a directory that contains a single key per file OR b) Support multiple private key stanzas in a single file.

The latter would be easier to deal with when doing something like... creating named pipes (which we support reading from)... it also fits the .ssh directory semantics better the former may be easier from a client management perspective.

bbaassssiiee commented 5 years ago

There is a var for this that can be set in ansible.cfg, inventory, group_vars, host_vars: ansible_ssh_private_key_file

cdvv7788 commented 5 years ago

@matburt any new ideas about this? This should be quite easy to add (just adding new ssh-add commands at https://github.com/ansible/ansible-runner/blob/master/ansible_runner/runner_config.py#L503) but we need to get a clear interface. Maybe we could have env/ssh_key be a file or a folder, and if it is a folder we assume that the contents are all keys that must be added? I think that this could be cleaner that several keys on a single file, in the case that some issue needs to be tracked down.

matburt commented 5 years ago

I'm good with the file vs folder distinction. The other bit is changing the module interface to be able to accept a list rather than just a big string and then maintaining backwards compatibility for it.

cdvv7788 commented 5 years ago

@matburt please check the PR I opened. I refactored the code a little to support both cases (obviously it changes the class structure a little) and seems to work. Please give me some feedback, and let me know if this is the right path to follow.

jkohen commented 4 years ago

Just as an FYI, when designing a solution for this issue, please consider that in order to support SSH certificates, Ansible-runner will need to take pairs of files: https://github.com/ansible/ansible-runner/issues/488

AlanCoding commented 2 years ago

@john-westcott-iv has started some research into the options for managing multiple ssh keys. By that, I mean the tradeoffs of mapping groups/hosts to specific SSH keys versus letting it try multiple keys for every host.

We also had a really good idea from @shanemcd to put the ssh-agent and ssh-add commands into a separate script to make this feel more manageable. That could be done separately from this to pave some groundwork.