community.crypto.openssh_keypair module – Generate OpenSSH private and public keys
Note
This module is part of the community.crypto collection (version 2.14.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.crypto
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.crypto.openssh_keypair
.
Synopsis
This module allows one to (re)generate OpenSSH private and public keys. It uses ssh-keygen to generate keys. One can generate
rsa
,dsa
,rsa1
,ed25519
orecdsa
private keys.
Requirements
The below requirements are needed on the host that executes this module.
ssh-keygen (if backend=openssh)
cryptography >= 2.6 (if backend=cryptography and OpenSSH < 7.8 is installed)
cryptography >= 3.0 (if backend=cryptography and OpenSSH >= 7.8 is installed)
Parameters
Parameter |
Comments |
---|---|
The attributes the resulting filesystem object should have. To get supported flags look at the man page for chattr on the target system. This string should contain the attributes in the same order as the one displayed by lsattr. The |
|
Selects between the
Choices:
|
|
Provides a new comment to the public key. |
|
Should the key be regenerated even if it already exists Choices:
|
|
Name of the group that should own the filesystem object, as would be fed to chown. When left unspecified, it uses the current group of the current user unless you are root, in which case it can preserve the previous ownership. |
|
The permissions the resulting filesystem object should have. For those used to /usr/bin/chmod remember that modes are actually octal numbers. You must either add a leading zero so that Ansible’s YAML parser knows it is an octal number (like Giving Ansible a number without following one of these rules will end up with a decimal number which will have unexpected results. As of Ansible 1.8, the mode may be specified as a symbolic mode (for example, If If Specifying |
|
Name of the user that should own the filesystem object, as would be fed to chown. When left unspecified, it uses the current user unless you are root, in which case it can preserve the previous ownership. Specifying a numeric username will be assumed to be a user ID and not a username. Avoid numeric usernames to avoid this confusion. |
|
Passphrase used to decrypt an existing private key or encrypt a newly generated private key. Passphrases are not supported for type=rsa1. Can only be used when backend=cryptography, or when backend=auto and a required |
|
Name of the files containing the public and private key. The file containing the public key will have the extension |
|
Used when backend=cryptography to select a format for the private key at the provided path. When set to For OpenSSH < 7.8 private keys will be in PKCS1 format except ed25519 keys which will be in OpenSSH format. For OpenSSH >= 7.8 all private key types will be in the OpenSSH format. Using this option when regenerate=partial_idempotence or regenerate=full_idempotence will cause a new keypair to be generated if the private key’s format does not match the value of private_key_format. This module will not however convert existing private keys between formats. Choices:
|
|
Allows to configure in which situations the module is allowed to regenerate private keys. The module will always generate a new key if the destination file does not exist. By default, the key will be regenerated when it does not match the module’s options, except when the key cannot be read or the passphrase does not match. Please note that this changed for Ansible 2.10. For Ansible 2.9, the behavior was as if If set to If set to If set to If set to If set to Note that adjusting the comment and the permissions can be changed without regeneration. Therefore, even for Choices:
|
|
The level part of the SELinux filesystem object context. This is the MLS/MCS attribute, sometimes known as the When set to |
|
The role part of the SELinux filesystem object context. When set to |
|
The type part of the SELinux filesystem object context. When set to |
|
The user part of the SELinux filesystem object context. By default it uses the When set to |
|
Specifies the number of bits in the private key to create. For RSA keys, the minimum size is 1024 bits and the default is 4096 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, size determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will cause this module to fail. Ed25519 keys have a fixed length and the size will be ignored. |
|
Whether the private and public keys should exist or not, taking action if the state is different from what is stated. Choices:
|
|
The algorithm used to generate the SSH private key. Choices:
|
|
Influence when to use atomic operation to prevent data corruption or inconsistent reads from the target filesystem object. By default this module uses atomic operations to prevent data corruption or inconsistent reads from the target filesystem objects, but sometimes systems are configured or just broken in ways that prevent this. One example is docker mounted filesystem objects, which cannot be updated atomically from inside the container and can only be written in an unsafe manner. This option allows Ansible to fall back to unsafe methods of updating filesystem objects when atomic operations fail (however, it doesn’t force Ansible to perform unsafe writes). IMPORTANT! Unsafe writes are subject to race conditions and can lead to data corruption. Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: full |
Will return details on what has changed (or possibly needs changing in |
|
Support: full |
Uses Ansible’s strict file operation functions to ensure proper permissions and avoid data corruption. |
Notes
Note
In case the ssh key is broken or password protected, the module will fail. Set the force option to
true
if you want to regenerate the keypair.In the case a custom
mode
,group
,owner
, or other file attribute is provided it will be applied to both key files.
Examples
- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa)
community.crypto.openssh_keypair:
path: /tmp/id_ssh_rsa
- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa) and encrypted private key
community.crypto.openssh_keypair:
path: /tmp/id_ssh_rsa
passphrase: super_secret_password
- name: Generate an OpenSSH rsa keypair with a different size (2048 bits)
community.crypto.openssh_keypair:
path: /tmp/id_ssh_rsa
size: 2048
- name: Force regenerate an OpenSSH keypair if it already exists
community.crypto.openssh_keypair:
path: /tmp/id_ssh_rsa
force: true
- name: Generate an OpenSSH keypair with a different algorithm (dsa)
community.crypto.openssh_keypair:
path: /tmp/id_ssh_dsa
type: dsa
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The comment of the generated key. Returned: changed or success Sample: |
|
Path to the generated SSH private key file. Returned: changed or success Sample: |
|
The fingerprint of the key. Returned: changed or success Sample: |
|
The public key of the generated SSH private key. Returned: changed or success Sample: |
|
Size (in bits) of the SSH private key. Returned: changed or success Sample: |
|
Algorithm used to generate the SSH private key. Returned: changed or success Sample: |
Collection links
Issue Tracker Repository (Sources) Submit a bug report Request a feature Communication