源代码管理中的 Ansible SSH 私钥? [英] Ansible SSH private key in source control?

问题描述

我开发 Ansible playbook 已经有几个星期了，因此，我对这种技术的经验相对较短.我的部分策略包括使用自定义 ansible_ssh_user 来在整个清单中配置主机，但是，这样的用户将需要自己的 SSH 密钥对，这将涉及某种持有/存储其通信私有的计划钥匙.在生产环境中，此剧本将被克隆/拉取并在某个剧本节点内运行，该节点的作用是提供基础架构的其余部分.

I have been developing an Ansible playbook for a couple of weeks, therefore, my experience with such technology is relatively short. Part of my strategy includes using a custom ansible_ssh_user for provisioning hosts throughout the inventory, however, such user will need its own SSH key pair, which would involve some sort of a plan for holding/storing its correspondent private key. On a production environment, this playbook would be cloned/pulled and run inside a certain playbook node whose role is to provision the rest of the infrastructure.

起初，我想把那个私钥放在 playbook git 存储库中，但我对它有第二个想法，主要是因为一些明显的安全原因和周围的常识，因此我需要就此事向您咨询.

At first, I was thinking to just put that private key inside the playbook git repository, but I am having second thoughts about it nonetheless, mostly because of somewhat obvious security reasons and common sense around it, hence the reason I need to consult you about this matter.

把这个放在桌子上，下面是后续问题:

With this set on the table, here are the follow-up questions:

• 在基于 Ansible 的开发环境中，在源代码管理中保存私有 SSH 密钥是否合理/合理?
• 这种做法是否仅适用于开发环境，而剧本节点内的另一个本地 git 分支将用于保存实际的生产 SSH 私钥?立>
• 通过 Ansible Vault 解决这种情况会更好吗?我以前从未使用过它，但无论如何我还是无法确定这是否适合使用它.
• 根据您的经验，您在生产环境中会采用什么方法来解决此问题?在此特定场景中，您认为最佳做法是什么?

• In an Ansible-based development environment, is it sane/reasonable to hold a private SSH key in source control?
• Would this practice be advised only for development environments whereas another local git branch inside the playbook node would be then used to hold the actual production SSH private key?
• Would it be better to address this case scenario via Ansible Vault instead?, I have not ever used this before, but regardless of that I cannot yet tell whether this would be a proper case for using it.
• In your experience, what would be your approach around this in a production environment?, what would it be considered as the best practice in this particular scenario?

推荐答案

在修订控制中存储任何类型的明文秘密都是一个坏主意，包括 SSH 私钥.相反，使用 ansible-vault 来存储私钥.

It's a bad idea to store any kind of plaintext secret in revision control, SSH private keys included. Instead, use ansible-vault to store the private key.

ansible-vault 可以对任何文件类型进行操作.只需使用

ansible-vault can operate on any file type. Just encrypt the file with

ansible-vault encrypt /path/to/local/private_key

然后安装密钥:

- name: Install a private SSH key
  vars:
    source_key: /path/to/local/private_key
    dest_key: /path/to/remote/private_key
  tasks:
  - name: Ensure .ssh directory exists.
    file: 
      dest: "{{ dest_key | dirname }}"
      mode: 0700 
      owner: user 
      state: directory
  - name: Install ssh key
    copy: 
      src: "{{ source_key }}" 
      dest: "{{ dest_key }}"
      mode: 0600
      owner: user

早期版本的 ansible-vault 只会对 var 文件中定义的变量进行操作，因此您必须执行以下操作:

Earlier versions of ansible-vault would only operate on variables defined in var files, so you had to do something like this:

ssh_key: |
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
key_file: /home/user/.ssh/id_rsa

使用 ansible-vault 加密:

Encrypt with ansible-vault:

ansible-vault encrypt /path/to/var_file

并安装密钥:

- name: Ensure .ssh directory exists.
  file: 
    dest: "{{ key_file | dirname }}"
    mode: 0700 
    owner: user 
    state: directory

- name: Install ssh key
  copy: 
    content: "{{ ssh_key }}" 
    dest: "{{ key_file }}"
    mode: 0600
    owner: user

感谢以下所有通过评论改进答案的人.

Thanks to all those below who improved the answer with their comments.

这篇关于源代码管理中的 Ansible SSH 私钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！