ahuemmer/wsl_ansible_preparations.md

## wsl_ansible_preparations.md

      
    Raw
  

              wsl_ansible_preparations.md
            
          
    wsl_ansible_preparations.sh

Purpose

I like to use WSL to execute Ansible scripts on remote hosts. The benefits, IMHO, are that you can develop them on your usual Windows system and there's no need for a special VM, network mount or something else to be able to run them on a target system.
As I'm a lazy person 😉, I don't want to enter my Ansible vault encryption key and my ssh key every time I try executing an ansible playbook (there's much of development and testing going on here).
Not only lazy, but also a little paranoid, still I don't want to have my plain text passwords stored permanently in my file system. Especially regarding SSH keys used with ssh-agent, WSL will put some obstacles in your way you wouldn't have to face on a "real" Linux system.
This script will therefore benefit my lazyness and paranoia and also overcome the hinderance imposed by WSL. 😃
Usage

Before the first time

Place the script anywhere you find appropriate. For now, we will assume it is in your home directory and called wsl_ansible_preparations.sh. Don't forget to make it executable using chmod u+x ~/wsl_ansible_preparations.sh.
In the beginning of the script file, there are five variables defined. You might possibly want to adapt at least the first one. :) (The file contains comments about the meanings of the variables.)
Most important now: Add this script to your .profile in order for it to be executed when you exit the WSL shell. Example line:
trap ${HOME}/wsl_ansible_preparations.sh EXIT
This will call the script without parameters and hence just delete the files containing sensitive data (if present). If you're as paranoid as I am, you might also want to call the script in your .bashrc. 😉 (Just the "pure" script call in that case, no trap nor EXIT.)
Everyday usage

After these preparations, to enter your passwords, just call the script and append the parameter denoted in PARAMETER_FOR_SECRET_INPUT (default: login).
~/wsl_ansible_preparations.sh login
You will the be asked for your ansible vault and ssh key passwords. These will be saved (the first in the file denoted by ANSIBLE_VAULT_PASSWORD_FILE, default: ~/ansibleVaultPassword), the latter using ssh-agent.
Now, when executing an ansible playbook like this
ansible-playbook myplaybook.yml --vault-password-file ~/.ansibleVaultPassword --private-key ~/.ssh/ansible.private.pem
you won't be asked for a password any more until the end of your WSL session or ssh-agent timeout. 🎉
I've misspelled one of my passwords or the ssh-agent timeout gets hit

No problem, just execute the script again:
~/wsl_ansible_preparations.sh login
Disclaimer

I've tried to write the script in a comprehensible, concise and secure way. Nevertheless, I cannot guarantee that the script will work on your system! Furthermore, I even cannot ensure that it isn't harmful to your system or the security of your data! The script is free software. It comes without any warranty, not even for merchantability or fitness for a particular purpose. Modify and/or use it on your own risk.

  
## wsl_ansible_preparations.sh
#!/bin/bash

# -------------- Variables you might want to adapt --------------

# The path to the SSH private key to use
ANSIBLE_USER_PRIVATE_USER_SSH_KEY_FILE=${HOME}/.ssh/ansible.private.pem

# The (temporary) file where your ansible vault password will be stored
ANSIBLE_VAULT_PASSWORD_FILE=${HOME}/.ansibleVaultPassword

# The temporary askpass-file used to hand over the SSH key password to ssh-agent
TMP_ASKPASS_SCRIPT_FILE=/${HOME}/.tmp-askpass.sh

# The parameter you want to call this script with when intending to enter your passwords
PARAMETER_FOR_SECRET_INPUT=login

# Your user name (resp. the owner of the sensitive data)
ME=$(whoami)

# -------------- "Real" script content below: --------------

# In any case: Delete secret files!
[[ -f "${ANSIBLE_VAULT_PASSWORD_FILE}" ]] && rm -f "${ANSIBLE_VAULT_PASSWORD_FILE}"
[[ -f "${TMP_ASKPASS_SCRIPT_FILE}" ]] && rm -f "${TMP_ASKPASS_SCRIPT_FILE}"

# If you want to enter your password and key:
if [[ "$1" == "${PARAMETER_FOR_SECRET_INPUT}" ]]; then

  # Handle Ansible vault password input:
  # Save password to ${ANSIBLE_VAULT_PASSWORD_FILE} --> can be used with ansibles --vault-password-file parameter later on
  echo -n "Enter Ansible vault password or just hit return to continue: "
  read -s ansibleVaultPassword
  echo
  if [[ ! -z "${ansibleVaultPassword}" ]]; then
    touch ${ANSIBLE_VAULT_PASSWORD_FILE}
    chown ${ME}:${ME} ${ANSIBLE_VAULT_PASSWORD_FILE}
    chmod 0600 ${ANSIBLE_VAULT_PASSWORD_FILE}
    echo ${ansibleVaultPassword} > ${ANSIBLE_VAULT_PASSWORD_FILE}
  fi
  ansibleVaultPassword=

  # Handle Ansible user SSH key input
  # The key is NOT saved to a file, but handed over to ssh-agent.
  echo -n "Enter Ansible SSH private key password: "
  read -s ansibleKeyPassword
  echo

  if [[ ! -z "${ansibleKeyPassword}" ]]; then
    sshAgentPid=$(pgrep ssh-agent)
    [[ $? -eq 0 ]] && kill ${sshAgentPid}
    eval $(ssh-agent -s) >/dev/null 2>&1
    export DISPLAY=1
    touch ${TMP_ASKPASS_SCRIPT_FILE}
    chown ${ME}:${ME} ${TMP_ASKPASS_SCRIPT_FILE}
    chmod 0700 ${TMP_ASKPASS_SCRIPT_FILE}

    # A little hacky way, avoiding to display the key in your console
    # (Might be nicer using heredoc...)
    echo -e "#!/bin/bash\n[[ \$1 =~ ^Bad.+$ ]] && >&2 echo \"Bad SSH key passphrase - key not added to SSH agent!\" && exit 1\necho \"${ansibleKeyPassword}\"\n" > ${TMP_ASKPASS_SCRIPT_FILE}
    SSH_ASKPASS="${TMP_ASKPASS_SCRIPT_FILE}" ssh-add - < ${ANSIBLE_USER_PRIVATE_USER_SSH_KEY_FILE} >/dev/null
    rm ${TMP_ASKPASS_SCRIPT_FILE}
  fi
  ansibleKeyPassword=
fi
	#!/bin/bash

	# -------------- Variables you might want to adapt --------------

	# The path to the SSH private key to use
	ANSIBLE_USER_PRIVATE_USER_SSH_KEY_FILE=${HOME}/.ssh/ansible.private.pem

	# The (temporary) file where your ansible vault password will be stored
	ANSIBLE_VAULT_PASSWORD_FILE=${HOME}/.ansibleVaultPassword

	# The temporary askpass-file used to hand over the SSH key password to ssh-agent
	TMP_ASKPASS_SCRIPT_FILE=/${HOME}/.tmp-askpass.sh

	# The parameter you want to call this script with when intending to enter your passwords
	PARAMETER_FOR_SECRET_INPUT=login

	# Your user name (resp. the owner of the sensitive data)
	ME=$(whoami)

	# -------------- "Real" script content below: --------------

	# In any case: Delete secret files!
	[[ -f "${ANSIBLE_VAULT_PASSWORD_FILE}" ]] && rm -f "${ANSIBLE_VAULT_PASSWORD_FILE}"
	[[ -f "${TMP_ASKPASS_SCRIPT_FILE}" ]] && rm -f "${TMP_ASKPASS_SCRIPT_FILE}"

	# If you want to enter your password and key:
	if [[ "$1" == "${PARAMETER_FOR_SECRET_INPUT}" ]]; then

	# Handle Ansible vault password input:
	# Save password to ${ANSIBLE_VAULT_PASSWORD_FILE} --> can be used with ansibles --vault-password-file parameter later on
	echo -n "Enter Ansible vault password or just hit return to continue: "
	read -s ansibleVaultPassword
	echo
	if [[ ! -z "${ansibleVaultPassword}" ]]; then
	touch ${ANSIBLE_VAULT_PASSWORD_FILE}
	chown ${ME}:${ME} ${ANSIBLE_VAULT_PASSWORD_FILE}
	chmod 0600 ${ANSIBLE_VAULT_PASSWORD_FILE}
	echo ${ansibleVaultPassword} > ${ANSIBLE_VAULT_PASSWORD_FILE}
	fi
	ansibleVaultPassword=

	# Handle Ansible user SSH key input
	# The key is NOT saved to a file, but handed over to ssh-agent.
	echo -n "Enter Ansible SSH private key password: "
	read -s ansibleKeyPassword
	echo

	if [[ ! -z "${ansibleKeyPassword}" ]]; then
	sshAgentPid=$(pgrep ssh-agent)
	[[ $? -eq 0 ]] && kill ${sshAgentPid}
	eval $(ssh-agent -s) >/dev/null 2>&1
	export DISPLAY=1
	touch ${TMP_ASKPASS_SCRIPT_FILE}
	chown ${ME}:${ME} ${TMP_ASKPASS_SCRIPT_FILE}
	chmod 0700 ${TMP_ASKPASS_SCRIPT_FILE}

	# A little hacky way, avoiding to display the key in your console
	# (Might be nicer using heredoc...)
	echo -e "#!/bin/bash\n[[ \$1 =~ ^Bad.+$ ]] && >&2 echo \"Bad SSH key passphrase - key not added to SSH agent!\" && exit 1\necho \"${ansibleKeyPassword}\"\n" > ${TMP_ASKPASS_SCRIPT_FILE}
	SSH_ASKPASS="${TMP_ASKPASS_SCRIPT_FILE}" ssh-add - < ${ANSIBLE_USER_PRIVATE_USER_SSH_KEY_FILE} >/dev/null
	rm ${TMP_ASKPASS_SCRIPT_FILE}
	fi
	ansibleKeyPassword=
	fi
No results found