I’m trying to get ansible to manage some parts of our vyos routers that are common across the datacenters. For example, a set of ssh keys. I’m not finding a good way to manage ssh keys on vyos with ansible. For the rest of our systems, primarily ubuntu and debian there are various ways of managing ssh keys with ansible. For example, we can use the authorized_keys module or what could be even simpler, use the copy module to push out a file with all the various keys in it.
Unfortunately, neither method will work in vyos because everything is done via the cli. I can push ssh keys by the use of the vyos_config module But this has a few disadvantages.
- new keys have to be added to two separate files.
- whoever adds keys needs to be familiar with the vyos cli since you’re basically putting in set commands for each key.
My task for adding keys goes something like this.
- name: adding ssh keys to vyos vyos.vyos.vyos_config: lines: - set system login user vyos authentication public-keys root@ansible type ssh-rsa - set system login user vyos authentication public-keys root@ansible key AAAAB3NzaC1yc2EAAAADAQABAAABgQCvP4uieRqqra9PNSwQd964g5iSckdyoEN7Bod1Ghn6F6kCivqs9CJrPF221hMBAet8dJ5Q1Fik193DZJL5S5IxSjrWPk8UdrJFBz2Szk+8GaimjNbmeGGY2LzGfyehkhgA173xUAXUgzkCZoeCe9hACfW96Er8uYd7/O4BHCA/ElabN7HVzd5xLD+Rnt6+d8oKZgk9xH2opknKbpbIZAB9cTsU4QthNgH80dagUBHszamnXKaeilWBsoVWEfXO+Z/9E3YrjooZVru3ney1R7jo1cdCJvOZKCCtAZKJrm17/kkYytucfd7x6Srpf3gWQQR7bfOoOGm0ff6k2b0dtI65x7j0d5rYFtqj8j9iah8OLNHoTLbqlpwJ5DyPHXL9EKQc45TmbxSbE+fOB1cmP+IzFrC2UiiGDKf3chfg3xswvdkmhjiCbOcscjGsaSgbG7r5/muy+MGaKSkIN7qu5vjJyMP4f8OjcEUcsqEXlukDOl9M1Tdyf2rf0u60Jrtm6bE=
If i want to add multiple keys i need to duplicate the two set statements above and change the name and key content to match. If i could loop the set commands with vars that might work better, but i can’t even seem to do that.
In my mind the ideal solution would be to have a parameter in the ssh service deffinition to set sshd to check a second file that’s not managed by the cli for additional keys. Then i could use ansible to create that file and update it as necessary.
To use the file you would need to set something like the following, if this param is not set the file is not checked.
set service ssh authorized_key_file /home/vyos/.ssh/authorized_keys2
Any thoughts? Am i missing something obvious?