Deploy NSX-T Edge VM SSH Keys with Ansible

While working with NSX-T, there are many reasons to access edge appliances using SSH. Most troubleshooting options are only available using nsxcli on the appliance itself. During the deployment, each appliance has 3 user account: root, admin, and audit. Alle Accounts are configured with password-based authentication. In a previous article, I've already described how to deploy SSH Keys using nsxcli, which allows a secure and comfortable authentication method. In this article, I'm explaining how to use ansible to deploy SSH public keys to NSX-T Edges. This option allows you to easily manage keys on a large platform.

The deployment of SSH keys using nsxcli (# set user admin ssh-keys), is fully compatible with standard Linux methods. The key is stored in the .ssh/authorized_keys file in a proper format without any additional databases or configs involved. That means, when you manually add a key to the authorized_keys file, it also appears in nsxcli (#get user admin ssh-keys). With the option to manipulate authoried_keys files, you can leverage the Ansible authorized_key module to manage SSH keys.

For this article, I'm using a very simple approach that can be easily followed when you are new to ansible.

Prerequisites
Install Ansible and sshpass. In this example, I'm using a Debian-based system.

# apt install ansible sshpass

Configure Ansible Inventory
The ansible repository is a file, located at /etc/ansible/hosts,  where you can configure hosts and host groups. Create a host group with all of the Edge nodes where you want to deploy SSH keys.

[nsxt_edges]
edge01.virten.lab ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=[password]
edge02.virten.lab ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=[password]
edge03.virten.lab ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=[password]
edge04.virten.lab ansible_connection=ssh ansible_ssh_user=root ansible_ssh_pass=[password]

Ansible Playbook
An Ansible playbook is a blueprint of automation tasks. Typically, you have separate files for tasks and variables. For ease of use, I'm using a single file to define both. The variables (SSH keys) and tasks (Deploy keys).

nsxt_sshkeys.yml

---
- hosts: nsxt_edges
  gather_facts: false
  
  vars:
    admin_keys:
      - 'ssh-rsa key1 adminuser1@domain'
      - 'ssh-rsa key2 adminuser2@domain'
    audit_keys:
      - 'ssh-rsa key3 audituser1@domain'
      - 'ssh-rsa key4 audituser2@domain'

  tasks:
    - name: Deploy SSH public keys for admin
      authorized_key:
        user: admin
        key: "{{ '\n'.join(admin_keys) }}"
        exclusive: true

    - name: Deploy SSH public keys for audit
      authorized_key:
        user: audit
        key: "{{ '\n'.join(audit_keys) }}"
        exclusive: true

The exclusive option defines whether to remove all other non-specified keys from the authorized_keys file.

Run the Playbook
Prior to run the playbook, you can run it in dry mode to test connections and predict the changes that may occur. This command does not change the target system.

# ansible-playbook nsxt_sshkeys.yml --check

PLAY [nsxt_edges] *****************************************************************

TASK [Deploy SSH public keys for admin] *******************************************
changed: [edge03.virten.lab]
changed: [edge01.virten.lab]
changed: [edge02.virten.lab]
changed: [edge04.virten.lab]

TASK [Deploy SSH public keys for audit] *******************************************
changed: [edge01.virten.lab]
changed: [edge04.virten.lab]
changed: [edge02.virten.lab]
changed: [edge03.virten.lab]

PLAY RECAP ************************************************************************
edge01.virten.lab          : ok=2    changed=2    unreachable=0    failed=0
edge02.virten.lab          : ok=2    changed=2    unreachable=0    failed=0
edge03.virten.lab          : ok=2    changed=2    unreachable=0    failed=0
edge04.virten.lab          : ok=2    changed=2    unreachable=0    failed=0

When everything is successful, deploy the keys:

# ansible-playbook nsxt_sshkeys.yml

PLAY [nsxt_edges] *****************************************************************

TASK [Deploy SSH public keys for admin] *******************************************
changed: [edge01.virten.lab]
changed: [edge04.virten.lab]
changed: [edge03.virten.lab]
changed: [edge02.virten.lab]

TASK [Deploy SSH public keys for audit] *******************************************
changed: [edge02.virten.lab]
changed: [edge01.virten.lab]
changed: [edge04.virten.lab]
changed: [edge03.virten.lab]

PLAY RECAP ************************************************************************
edge01.virten.lab          : ok=2    changed=2    unreachable=0    failed=0
edge02.virten.lab          : ok=2    changed=2    unreachable=0    failed=0
edge03.virten.lab          : ok=2    changed=2    unreachable=0    failed=0
edge04.virten.lab          : ok=2    changed=2    unreachable=0    failed=0

You should now be able to login with admin and your SSH key. All keys will be displayed when using nsxcli:

edge01> get user admin ssh-keys
Sun Mar 21 2021 UTC 14:14:07.721
label: adminuser1@domain
type: ssh-rsa
value:
key1

label: adminuser2@domain
type: ssh-rsa
value:
key2

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.