In this Ansible tutorial for beginners, we’ll cover getting started with Ansible as a configuration management tool for setting up a bare CentOS, Debian, and Ubuntu server with more secure SSH settings and a few tools to make your life a little easier.
Our goals:
- Set up a non-root user
- Give the new user sudo access
- Disable password-based logins
- Disable root logins
- Use SSH keys for logins
Prerequisites for this Ansible configuration management tutorial
- A newly-provisioned or rebuilt server running any of our OS options—CentOS, Debian, or Ubuntu.
Step 1: Install Ansible on your local machine
To get started using Ansible for configuration management, you first need to install it on your local machine. Ansible's documenation gives installation instructions for a variety of platforms, including various *nix distributions and OS X.
Step 2: Edit the Ansible hosts file
To connect Ansible to your VPS, you need to specify its IP address within Ansible’s hosts file. On Linux and OS X machines, that can be found at /etc/ansible/hosts.
The beginning of the file should look like this:
# This is the default ansible 'hosts' file.
#
# It should live in /etc/ansible/hosts
#
# - Comments begin with the '#' character
# - Blank lines are ignored
# - Groups of hosts are delimited by [header] elements
# - You can enter hostnames or ip addresses
# - A hostname/ip can be a member of multiple groups
# Ex 1: Ungrouped hosts, specify before any group headers.
## green.example.com
## blue.example.com
## 192.168.100.1
## 192.168.100.10
To enable your VPS, simply add the IP address anywhere in this file underneath an [ssdnodes] grouping.
There should be no other symbols—like the # comment—in the line.
[ssdnodes]
123.45.67.89
Now, test out your configuration by pinging your VPS. For now, you have to use -u root to ensure you’re trying to connect via the root account.
$ ansible all -m ping -u root
If it’s successful, you’ll see the following output:
123.45.67.89 | SUCCESS => {
"changed": false,
"ping": "pong"
}Step 3: Getting started with Ansible playbooks
To get started using Ansible to manage server configurations, we need to create an Ansible playbook. A playbook is the core component of any Ansible configuration.
The playbook will define the tasks that need to be completed to configure your servers. The ability to create and run Playbooks is the key reason that it's so powerful to use Ansible for configuration management.
The Ansible playbook is in the common .yaml language.
$ mkdir ansible && cd ansible
$ touch create_user.yaml
$ nano create_user.yaml
And here is a basic playbook example that accomplishes our goals.
Note: This playbook is meant to run on a bare CentOS 7 server. If you want to run this on an Ubuntu/Debian server, simply change the yum line to apt.
---
- hosts: ssdnodes
remote_user: root
vars_prompt:
- name: "user_name"
prompt: "Enter a name for the new user"
private: no
confirm: yes
- name: "user_password"
prompt: "Enter a password for the new user"
private: yes
encrypt: "sha512_crypt"
confirm: yes
salt_size: 7
tasks:
- name: Check to make sure we have a 'wheel' group
group:
name: wheel
state: present
- name: Install the 'sudo' package
yum:
name: sudo
state: latest
- name: Create the non-root user
user:
name: ""
password: ""
shell: "/bin/bash"
groups: "wheel"
- name: Add local public key for key-based SSH authentication
authorized_key:
user: ""
key: "{{item}}"
with_file:
- ~/.ssh/id_rsa.pub
- name: Restrict root SSH logins
lineinfile:
dest: /etc/ssh/sshd_config
state: present
regexp: '^#PermitRootLogin'
line: 'PermitRootLogin no'
- name: Restrict SSH logins to keys only
lineinfile:
dest: /etc/ssh/sshd_config
state: present
regexp: '^#PasswordAuthentication'
line: 'PasswordAuthentication no'
- name: Restart sshd
systemd:
state: restarted
daemon_reload: yes
name: sshd
Before we go into how you run this command, let’s walk through what some of these lines do in practice.
- hosts: ssdnodes
remote_user: root
These two lines dictate which host group we’re going to work with—in this case, the ssdnodes group we created earlier—and specify that we’re using the root login (just this once) to complete our steps.
vars_prompt:
- name: "user_name"
prompt: "Enter a name for the new user"
private: no
confirm: yes
- name: "user_password"
prompt: "Enter a password for the new user"
private: yes
encrypt: "sha512_crypt"
confirm: yes
salt_size: 7
These two vars_prompt commands will ask for user input to define which username and password they would like to associate with the newly-created account.
Beyond this, each nested block of script that begins with - name: defines a new task that Ansible will complete in sequential order, once the previous task has completed successfully. Failed tasks will cause the entire playbook to stop running.
If you follow along with each of the tasks, you can see that we’re installing sudo, creating our new user, adding your SSH public key to the server, and putting some basic restrictions on sshd before restarting it.
Step 4: Run the Ansible playbook
Running this Ansible playbook is fairly straightforward. Here’s the command we’ll use:
ansible-playbook create_user.yaml --ask-pass
We need to include --ask-pass so that Ansible uses a password to log into the server rather than try to use an SSH key that isn’t there.
Once you run the command, you’ll be asked to enter the SSH password:. This is the root login for your server—that password can be found in your SSD Nodes dashboard.
Once you’ve entered the root password, you’ll be prompted to specify and confirm a username and password. Once that’s done, Ansible will get to work!
With any luck, Ansible runs smoothly, and you'll see the following in your terminal:
____________
< PLAY RECAP >
------------
^__^
(oo)_______
(__) )/
||----w |
|| ||
123.45.67.89 : ok=8 changed=6 unreachable=0 failed=0
At this point, you’ll be able to log into your new user account using your SSH key.
More resources on Ansible for configuration management:
You’re now ready to get started using Ansible to manage the configuration of new servers with ease, and with an eye toward security.
For a deeper dive into getting started with Ansible, including in-depth explanations of all the components and terminology, check out our "Step by step guide to Ansible" tutorial.
To get more concrete playbook examples aimed toward maximizing security-- to help you harden your SSH, fend off brute force attacks, and more-- check out our 2-part series:
Ansible playbook for a more secure VPS (part 1)
A More Secure Ansible Playbook (Part 2)
And finally, for more information about how to use Ansible for automated server hardening, check out one these resources:
[cta text2="You're 90 seconds away from running Ansible on an SSD Nodes cloud server!" button="Ansible all the things!"]
A note about tutorials: We encourage our users to try out tutorials, but they aren't fully supported by our team—we can't always provide support when things go wrong. Be sure to check which OS and version it was tested with before you proceed.
If you want a fully managed experience, with dedicated support for any application you might want to run, contact us for more information.
