Linux Automation

Initial set up

10.0.5.70 (hostname: clone1)

10.0.5.71 (hostname: clone2)

10.0.5.72 (hostname: clone3)

Follow the steps in Blog-01 lab instructions.

Switch from WAN to LAN
systemctl restart network
useradd ina
passwd ina (pass)
usermod -aG wheel ina
add A records and check "Create associated PTR"

Check to make sure they work.

whoami; hostname; hostname -i; nslookup ad02-ina | grep -i name; ping -c1 ad02-ina | grep "packets transmitted"

PSSH

on clone1 install

pssh

epel-release (

sudo yum install epel-release

We are going to use a different authentication technique for SSH. We will create an RSA public and private key-pair, with the private key protected by a passphrase. Make sure to use the default key names (id_rsa.pub and id_rsa).

ssh ina@clone1

ssh-keygen

PW Roxirules

Push the public component of this keypair (id_rsa.pub) to our accounts on clone2 and clone3.

logged in as clone1

ls -l .ssh/

ssh-copy-id ina@clone2

ssh-agent

passwordless loaded the ssh-agent and private key

Far too many administrators create ssh keys that are not protected by a passphrase. This is analogous to leaving the keys to your Porsche laying around. They do this because they still need to type in a passphrase to unlock the keys if they are so protected. We will balance the security provided with a passphrase against the convenience of a totally passwordless solution by "caching" the passphrase in memory for an hour using the ssh-agent program.

The following screenshot shows how to load the ssh-agent if it is not already loaded (note the rarely used back-ticks, above Tab) followed by adding the private key for 1 hour. The subsequent ssh into clone3 does not prompt for a password. Logout of clone3 with exit and login to clone2.

eval ssh-agent``

ssh-add -t 1h

PW

/etc/sudoers

sudo nano /etc/sudoers

delete the #

PSSH

run key

sudo yum install pssh

sudo is important

vim host_file.txt

[email protected]

Helpfull: https://www.golinuxcloud.com/pssh-commands-parallel-ssh-linux-examples/#1_Pass_list_of_hosts_using_a_file

-i inline displaying inline standard output & errors as each host completes

pssh -i -h host_file.txt sudo yum install tree

pssh -i -h host_file.txt command

Ansible

Install the ansible package using yum on just clone1. Once installed, conduct the following test that walks through all hosts in your hosts file, and runs a module called ping against them.

sudo yum install ansible
ansible all -i host_file.txt -m ping

Ansible and sudo

the /etc/passwd file is readable by everyone and the /etc/shadow file (which contains hashed passwords) is only readable by root. Notice the success on tailing the /etc/passwd file and subsequent failure on /etc/shadow. This is resolved by telling Ansible that the user associated with the ssh public key at the other end of the connection is a sudoer user (-b).