Getting started with Ansible 02 - SSH Overview & Setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome back to my ansible series everyone i know you guys are itching to get started and dive into the world of ansible but in this video we need to cover a very important core concept first before we can go ahead and do that and that concept is open ssh open ssh is pretty much the default the standard when it comes to remote administration in linux it's what we use to connect to a linux server to basically run commands to do some administration things like that and it's also what ansible uses to do its provisioning as well so in this video i'm going to give you guys a basic look at what ssh is and also how to do some basic key management which is very important when it comes to ansible and none of the concepts that i'm going to cover in this video are specific to ansible but it's very important that you have a base understanding of these topics before we go ahead and dive in so let's take a quick look at openssh especially how to manage keys you guys are definitely going to want to understand how to do that especially but we're going to go ahead and cover all of that and more in this video let's go ahead and get started [Music] now before we get started i just want to make sure that we have a complete understanding of what the goal is in this video what we're trying to achieve for this episode it's all about openssh or more simply ssh technically this has nothing to do with ansible but since ansible uses ssh it's important that we have at least a foundational understanding of what it is and how to use it now going back to our theme here we have a workstation obviously it could be a desktop a laptop it doesn't really matter but basically if you are a linux administrator you'll more than likely use ssh to connect to your servers to do your work so basically ssh is very easy to use it's usually just a matter of using the ssh command and then giving it an ip address or a hostname of a server that you want to connect to and then you'll either be prompted for the password or if you have an ssh key then you won't be prompted for a password and you'll connect right to the server now password-based authentication is the default but it's always better to use ssh keys which are optional but basically what they do is they help secure your connection and make it that much harder for someone on the outside to break in now ssh on its own is fairly secure but to be fair if you have an easy password then it's only a matter of time before someone on the outside is able to crack that password but using an ssh key actually makes it much harder and is highly recommended now first and foremost openssh is a prerequisite for ansible it's required because again that's how ansible basically does its magic it uses openssh to connect to each of the servers to go ahead and provision them on the workstation or whatever machine you're running ansible from all you'll need is the ssh client and if you're running linux that comes default there shouldn't be anything you need to do on the workstation when it comes to the servers the openssh server is actually optional if the server is a linode a droplet or some kind of vps then you actually will have the ssh server installed by default and you'll be ready to go if you're setting up a manual ubuntu server installation from the installation media then part of the process of installing it will actually ask you whether or not you want the open ssh server if you said yes you're all set if you didn't then you're going to need to basically install the open ssh server package on the servers to make sure that they have it once we verified that we have open ssh installed the next thing we need to do is make that initial connection from the workstation via ssh to each of the servers the reason we need to take care of that is because the first thing it's going to do is ask you are you sure you want to connect and then you'll answer yes and then the connection will happen you won't be asked that again it's only the initial time you connect so we want to basically make sure we take care of that initial connection on each of the servers and then answer that prompt the reason we're doing this is because that prompt can actually trip up ansible there's actually a way to make ansible automatically accept the initial connection but that's beyond the scope of the video it's easier just to go ahead and make the first connection yourself from the laptop workstation whatever you have to the servers to get that out of the way the next topic that we're going to go over in this video is how to create an ssh key pair and this is not required but it's highly recommended it's a great practice to get into and it basically like i mentioned it strengthens your ssh connection so it's generally a great idea the key that we create for our user account which is the first of two keys that we'll be creating will have a passphrase that'll make it even more secure now we don't actually need an ssh key for our normal user account and creating a key for our user account has nothing to do with ansible it's just a great practice to have your own key in addition to any other keys that you might create for other purposes after we create that key i'm going to show you how to copy that key to each server so we can actually use it and then we'll create an ssh key that is specific to ansible now this one won't have a passphrase because we'll want to be able to automate the connections later so there's other ways of securing ssh with ansible i'm not going to get into but this key is going to be a little bit more open so hypothetically you would keep that key especially safe but we're going to create a key specifically for the purposes of ansible and then we're going to copy that key to each of the servers as well and then we'll go ahead and use that for purposes of ansible later in the series so here on my laptop i have a tmux session open and i have four different tabs at the bottom now don't worry if you don't know what tmux is it's just one of my favorite tools you don't have to know this for working with ansible has nothing to do with that i just like tmux when it comes to creating tutorials because it allows me to easily flip between servers so again i have four tabs on the bottom and going along with the theme of this series i have my workstation i have server one server two and server three and since i'm using tmux i can easily flip between each of these servers but again the whole scenario is you have a workstation or a laptop and you want to use that workstation or laptop to configure one or more servers via ansible now if i go over here to server one now run ipa to get the ip address you can actually see the ip address right here i can go ahead and just make sure that my workstation is able to ssh into that server so what i'll do is ssh 172 16 250 133 or whatever your ip address is the ip address of the server on your side the first server i'll press enter and the first time we go to connect to it it's going to make sure you know do you really want to do this well yeah i wouldn't have ran the command if i didn't want to use it but it's a security thing long story not going to get into it in this video but i'll just say yes to accept that fingerprint because every server is going to have its own fingerprint you can see that it added this ip address to the list of known hosts i'll go ahead and type in my password and here we are i am connected to the first server and i can press ctrl d to log out and now i'm back to my workstation the takeaway is this you should be able to run ssh then the ip address of the server or if you have multiple servers each one to connect to each from your workstation that has to work so over here i have server two i'll make sure that that works that ends in dot one three four i have the same syntax on each so i'll just go ahead and recall that ssh command change it to four at the end say yes put in the password and there we go i was able to connect to the second one now disconnect and i'll make sure that i'm able to connect to the third that ip address ends in one three two so i'll do the same thing again and there we go i was able to use ssh to connect to each of the servers now again ansible uses ssh by default so we definitely want to make sure that this works because ansible is going to make an ssh connection to each of the servers to go ahead and provision them so we want to make sure that we connect to each server accept the fingerprint by saying yes just make sure that the connection works so next we want to go ahead and take a look at ssh key management using keys with ssh actually makes the connection much more secure ssh by default is relatively secure but if your password to your server is very easy then it's only a matter of time before somebody breaks in a key makes it harder for someone to break in so it's a good idea to use a key with ssh and i'm going to show you how to generate a key right now so if i run right now ls-la against the ssh folder we only have the known host file there right now this is also the folder where ssh keys will be stored by default as well and since we can see that the known hosts file is the only file in this folder then we can safely come to the conclusion that we don't have any ssh keys at the moment but generating one is very easy so the command that we will use to generate an ssh key is this one ssh hyphen key gen so basically the act of generating an ssh key with ssh has its own dedicated command and there's actually variations of this command in multiple ways that you can generate a key i'm not going to go into too much detail here but i'm going to show you right now how to generate a very secure key so we will do dash t for type because we want to tell the ssh keygen command what type of key we want to generate yes it's going to be an ssh key but what kind of ssh key is it that's what we're about to tell this command with the t option and the type of key we want to create is ed25519 just like that so it's beyond the scope of this video to talk to you guys about all the different key types and why you would want this one over the others in short summary the ed25519 format is a more secure key than the default and it also has a shorter key length as well which especially makes it easier for me when i'm trying to crunch a bunch of things into a terminal window in a tutorial with the font size cranked up like i have it here now the next option is optional dash capital c that's basically a comment if we want to have some kind of information almost like metadata about the key i'll demonstrate what this is in a moment but i'm going to go ahead and call mine j default i think that's good enough i'll press enter and it's going to ask me where to save the ssh key it's going to default to your home directory dot ssh and then it has its own default key name format id underscore ed25519 is the default for this key type you don't have to change this i'm going to press enter to accept the defaults and now it wants a passphrase a passphrase basically makes the key much more secure i do recommend that you go ahead and add a passphrase now you could probably argue that adding a passphrase defeats the purpose of ssh keys because ssh keys one of the things that they do is they make it much easier for you to connect to a server because well it basically automates that and doesn't even ask for your password so by adding a passphrase to your key it's going to ask you for that key every time you use it there is a way to actually cache that in the background so it doesn't ask you every single time i'll get to that later but for now i do recommend that you use a passphrase it makes the key that much better so i'm going to go ahead and put mine in and i did that you can make it whatever you want and it's not going to show as you type so i'll press enter and it wants me to confirm that i just press enter again and it gives you a cool little random art image right here which is pretty neat and the key has been created now if we look at the ssh directory we have a couple files there actually we have this id ed25519 and then we have the same thing ending in dot pub this is known as a public private key pair the dot pub obviously is your public key you could go ahead and literally send that to all your friends you can put it on a billboard it's basically marked public key for a reason it really doesn't matter if you let anyone see this but this private key right here you definitely don't want anyone to see that because there's a reason why that's considered the private key because if that leaks out that invalidates everything definitely keep that one safe but the public key that's fine let's actually take a look at it so first of all i'll just show you the contents of the public key and there you go you have the actual key right here and then we have the comment that we added right here the type of key is here at the beginning now i'm going to show you the private key yes i know you should never ever do this but basically after i record this series i'm going to delete these vms and all the keys anyway so it really doesn't matter since everything is going to be trashed anyway so i'll press enter here and we can see that it's even marked open ssh private key it's a lot longer because here's the actual key right here so you could just see what the format actually looks like but we have successfully generated an ssh key that we can then use to connect to the other servers now how do we actually make it so that we can use that key to connect to our servers well let's go ahead and walk through that right now and the process of adding an ssh key to a server has its own dedicated command which is ssh hyphen copy hyphen id that's the command that we will use to copy our key to a server we'll press space then dash i which basically stands for input file and then the name of the key file as i've done right there the ip address of the server that you want to copy the key to in my case it's this ip right here i'll press enter and then i'll type in the password and it says that it went ahead and added the key so what exactly happened well let's go ahead and take a look at that directory dot ssh and not only does that directory exist now where it didn't before we also have the authorized keys file as well so let's take a look at that and i bet that looks very familiar doesn't it so i'll show you guys the contents again and we can see the contents of the public key right there and that's the exact same thing inside the authorized keys file now honestly you could have copied that and pasted it into that file yourself you didn't actually need to run that command the ssh copy id command is just a convenience so anyway what i can do now is copy it to the second server so 134 that one was added and dot 132 in my case now that one was added so now in each of these can see that we now have an authorized keys file so we have successfully copied the key over to those servers so now let's go ahead and use the key to connect to a server now that we've added the key so i'll connect to the first server in my case ssh then the ip and then enter and now it's asking me for the passphrase to the key that i generated earlier i'll go ahead and type that in and it worked ctrl d to disconnect so now at this point we know not only how to generate an ssh key we know how to copy it to the target server and you can see that it works because when i ran the ssh command after copying the key it asked me for a passphrase so that's the key that we will use to connect to our servers if we want to run manual commands but the whole point of this series is to go over ansible so what we should do now is create an ssh key that is dedicated only to ansible so let's go ahead and take care of that right now now again it was ssh keygen that was the command that we used to generate a key dash t for type and the type again is ed25519 so again basically what we're doing is we're going to create a key that's specific to ansible but we want to go ahead and make this one different so let's give it a different comment dash uppercase c and i'll give it the comment of simply ansible just like that and then i'll press enter now what it's doing is it's again asking us where do we want to save this key now be careful because if you look at the path it's the same path to the original key that we generated earlier so if we were to go ahead with this it's going to overwrite that one we don't want that what we want to do instead is to give it a different name so we want to definitely make sure that we type the path appropriately so it's going to basically be slash home slash username slash dot ssh and again we want to give it a different key name than we did with the original one and i'm going to call this one ansible now here is where i recommend that you don't create a passphrase basically what we will want to achieve later in the series is to set up ansible so that it can automatically do the tasks that you wanted to do without you having to manually enter a passphrase so for this i'm just going to press enter and then enter again and that's it so now we have a key with no passphrase at all so this key you really do want to keep very private very secret as this ansible key is very powerful well it's not powerful right now but it will be when we get further into the series so now what we're going to want to do is also copy this key to each of the servers as well i pressed the up arrow a few times here and this is an example of a command that we used previously to add the original key so we're going to go ahead and change this now i'm going to just start with the dot 132 server but we actually want to change the key name because we want to add the new key that we just generated ansible basically is the name of the key and this is the public key so we want to basically add the new ansible key to the server right here i'll press enter and right here it's asking me for a passphrase not the passphrase for the new key because we didn't even add a passphrase to the new key so what it's doing is it's basically asking us for the passphrase to the original key that it's going to use to facilitate copying the new key over to the server so i'll just type that in and it basically said that it added the key and what i'm going to do is repeat that to this server as well and then also to this one so now if we go to any of our other servers and take a look at the authorized keys file you can see that both keys are actually here now which is great because you know we want to be able to use our own key to do our own one-off commands we also want a key to use ansible with as well one that's specific danceable which is the second one here so so far so good now back here on my workstation what we can do is actually use the ansible key just so i can show you guys how that's differentiated how do you tell ssh which key you want to use for the connection so the way you do that is ssh of course dash i then i'll do the shorthand path to the ssh directory in my home directory and i'm going to use the ansible key and i'll type the ip address of a server here now notice that it dropped me right into that server without asking me for a password a passphrase or anything so that's basically what ansible is going to be able to do it's going to be able to connect to the server with no password or passphrase and do its work now with our key yes we have to add a passphrase but it's more secure the ansible key should not be used outside of our local network so basically we want to keep it secure because again it's almost like the keys to the castle as a matter of fact that is what it is it's the keys to the castle so we definitely want to keep that one safe now if i just use ssh then the ip address of that server without telling it which key to use it's going to use the original key which is going to ask me for a passphrase and then it lets me in i don't know about you though i am so lazy i don't want to type that passphrase every single time that i want to connect to a server so for all of you out there that are lazy like me here's a little cheat that's going to go ahead and make that a little bit easier actually quite a bit easier so what we can do is type eval and then the dollar sign and then in parentheses here we want to type this ssh agent and what an ssh agent is it's basically a process that can run in the background that can cache your passphrase so that way you only need to enter it once so press enter and not a lot happened here it basically gave me a process id of 2362 what we can tell from this is that the ssh agent is running in the background so if i do let's just try ps aux and i'll grip 4 2 3 6 2 we can see right here it is the ssh agent that is running in the background now that it's running in the background we can do this ssh hyphen add and it's going to ask me for the passphrase for that key which i'll type right now and it tells me the identity was added okay so what did that actually do for me let's recall the ssh command this one right here boom i'm dropped right into the server without having to enter that passphrase so we basically get the convenience of an ssh key without a passphrase but it does have a passphrase we only need to enter it once but it's not actually permanent that's the downside if you were to close your terminal window then that ssh agent is basically not running anymore you need to enter that command again but that's okay because you only need to do it once and then you're good to go for the remainder of the life of the terminal window but you know what i can make this a little bit easier for you guys because we can create an alias and i have entire videos about aliases on my channel already but essentially it's like making your own linux command so i could do alias and i'm going to call mine ssh a or you know short for ssh agent and i'm going to set it equal to eval just like we did before but i'm going to press space instead of enter here because i want to add a little bit more to this ampersand ampersand ssh add just like that and then i'll press enter now what that allows me to do is actually have a command that's simply ssha which will basically run all of this right here everything inside the quotes which will greatly simplify activating your ssh agent and it'll then ask for the key which i'll type in and it added it now i don't know about you but typing this right here is a lot easier than typing all of that so that's an alias now the problem is if you close your terminal window you also lose the alias so what you can do there is just use a text editor like nano for example edit your dot bash rc file which is already going to have a lot of stuff here so if you scroll down you can add it somewhere inside this file it really doesn't matter where but you could just add it right here since you know here's the ls aliases already and we can just do ssh agent just give it a new comment even though i guess a comment's really not needed since it's pretty simple and then we just type the alias just like we did before and then ctrl o to save the file and then we'll exit i type alias ssh a it tells me what the alias actually is so i'll disconnect and then i'll reconnect to my workstation to basically simulate closing the terminal and reopening it the alias is still there so since i added that to my bash rc file i now automatically have that alias and i can just type ssha type in the passphrase and it's cached in the background and now i don't need to enter that anymore the ssh agent will take care of that for me that's pretty cool so there we go we have successfully laid some of the groundwork and the foundation that we're going to use through the rest of the series and we're going to do that in the next video as well we are actually going to set up a git repository that is going to hold all of our code so we can get in the habit of using version control with ansible which is very important and that video should be on my channel right now so whenever you're ready i'll go ahead and see you there do you

Info

Channel: Learn Linux TV

Views: 82,605

Rating: undefined out of 5

Keywords: Linux, Tutorial, Howto, Guide, open source, gnu/linux, ansible, ssh, openssh, ssh key, key authentication, ansible tutorial, tutorial for beginners, getting started with ansible, ansible intro, ansible tutorial for beginners, ansible full course, ansible howto, ansible setup, ssh command, configuration management, cloud, devops, linode, infrastructure as code, script, automation, Learn Ansible, ansible 101, ansible course, linux for beginners 2021, devops explained, devops tools

Id: -Q4T9wLsvOQ

Channel Id: undefined

Length: 28min 51sec (1731 seconds)

Published: Fri Jul 31 2020