Bala Audu Musa

Posted on Jun 22 • Edited on Jun 24

How to Set Up Passwordless SSH from Control Host Managed Host

#ansible #controlhost #managedhost #aws

Objective:
Allow ansible@Control-Host to connect to ansible@Work-station without typing a password (using SSH keys).

Setup Requirements

Two EC2 instances:

Control Host: This is where you’ll download and install Ansible.

Work-station: This is the machine you want to manage.

We Begin...
Spin two EC2 instances (virtual servers). This can be achieved either by terraform, Azure or AWS.** Using AWS*;
Log into the **AWS portal* and search EC2 in the all-purpose search bar. Click EC2 in the displayed search option. In the Launch a virtual server window, click on Launch instance.

In the Launch an instance page, make the following adjustments:
Name and tags (Name): Leave blank
Number of instances: 2,
Application and OS Images (Amazon Machine Image): Select Ubuntu
Instance type: leave in default t3.micro Free tier eligible. In some other availability zones, it is the t2.micro.
Key pair (login): Click on Create new key pair if you don't have any existing one.
Give key pair a name and click on Create a key pair. Note the downloaded key pair for later use in this project.

Network settings: take the defaults and click on Launch instance. Click on View all instances. Click on the pencil to edit the names of the instances. The first should be Control host and second Managed host or Remote host or Work station host.
.
NB: A vpc, Subnet, Firewall (security groups), which** Allow SSH traffic from Anywhere (0.0.0.0/0)** will be created.

Copy the Managed host's Public IPv4 address.

Connect the created servers to the terminal. GitBash or PowerShell terminals can be used. Using the PowerShell terminal;

Open PowerShell and enter the following command.

[ssh -i 'C:/Users/fresh/Downloads/musa_key.pem' ubuntu@16.171.135.131](url)and enter.

'C:/Users/fresh/Downloads/musa_key.pem' is the earlier downloaded key pair path.

16.171.135.131 is the Public IP address of the Managed host.

When prompted Are you sure you want to continue connecting (yes/no/[fingerprint])?
**. Type **yes and enter. Managed host has been successfully connected to the terminal.

We do the same, for the Control host to be connected in a separate terminal. Don't forget to change the Public IP address to that of the Control host. You should get the below result when successful.

Icing sugar!
I encountered challenges connecting with this command [ssh -i "C:/Users/fresh/Downloads/musa_key.pem20%(1)" ubuntu@16.171.135.131](url). I had to rename the key pair path to 'C:/Users/fresh/Downloads/musa_key.pem' in single quotation mark before it went through successfully.

3. Changing the servers' name from ubuntu@ to Control host and Managed host.
Enter the command:
sudo hostnamectl set-hostname control-host in the Control host terminal and sudo hostnamectl set-hostname managed-host terminal. Enter the command logout and enter. Re-type and re-enter the command `[ssh -i 'C:/Users/fresh/Downloads/musa_key.pem' ubuntu@16.171.135.131] again for the server name to change.

for the control-host:

for the managed-host:

4. Creating an ansible user
Run the command; sudo useradd -m -s /bin/bash ansible

Adding the user to sudo group and granting the user administrative privileges. Run the command; sudo usermod -aG sudo ansible

6. Creating a password for ansible user.
Run the command: sudo passwd ansible. Enter a password. Note that it won't show. Re-enter the password again to confirm.

Switching to the ansible user on the The Control Host Run the command: sudo su - ansible

Do same to the Managed Host

Install ansible only on the control host Run the following command:

sudo apt update && sudo apt upgrade -y sudo apt install -y software-properties-common sudo add-apt-repository --yes --update ppa:ansible/ansible sudo apt install -y ansible
Wait for it to update and install ansible. Then confirm successful installation by running the command;
ansible --version.

Ansible has been successfully installed in the control host.

Generate an SSH Key Pair on Control Host Run the command: ssh-keygen -t rsa -b 4096. Press Enter to all the prompts.

Two files will be created by this command;
i) ~/.ssh/id_rsa → your private key (keep safe!)
ii)** ~/.ssh/id_rsa.pub** → your public key (this is what you’ll copy to Work-station)

Keypair has been successfully created.

Creating -ssh folder on Managed Host Run the following commands:

mkdir -p ~/.ssh chmod 700 ~/.ssh touch ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys chown -R ansible:ansible ~/.ssh

Command Purpose
mkdir -p ~/.ssh Creates the .ssh directory in the user's home folder. The -p ensures no error if it exists.
chmod 700 ~/.ssh Sets permissions on .ssh so only the owner can read, write, or execute.
touch ~/.ssh/authorized_keys Creates the authorized_keys file if it doesn't already exist.
chmod 600 ~/.ssh/authorized_keys Restricts authorized_keys so only the owner can read or write it (secure SSH key file).
chown -R ansible:ansible ~/.ssh Changes the ownership of .ssh and all its contents to user ansible and group ansible.

Generating Public key from the Control Host: Run the command; cat ~/.ssh/id_rsa.pub
Copy the whole key.
Create a folder in Managed Host with the command:
vi ~/.ssh/authorized_keys. Paste the copied key into it and exit (escape:wq + enter)

Re-run the following commands to double check. If no error messages, everything is fine.

chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chown -R ansible:ansible ~/.ssh

15. Test Passwordless in the Control Host
Run the command: ssh ansible@<managed-host private ip>

We have accessed our managed host from the control host.

16. Creating an Ansible Inventory File
The Ansible inventory file is a core configuration file that tells Ansible which** hosts (servers, devices, or VMs) to manage, and optionally how to group and connect to them.**.

Run the command sudo vi /etc/ansible/hosts. Once the text editor opens you should see texts already in it. Enter
[web] 16.171.200.117 ansible_user=ansible. 16.171.200.117 is the Public IP **address of the managed-host. Press **escape key :wq and enter to save and exit the editor.

[web] is the group name (you can call it whatever you want)

ansible_user=ansible tells Ansible to SSH into that machine using the ansible user.