SSH 提示密码过期,如何通过 ansible 批量更新线上服务器密码

起因

线上环境是在内网,登陆线上环境需要使用 VPN + 堡垒机 登陆,但是我日常登陆线上环境都是 VPN + 堡垒机 + Socks5常驻代理,在shell端只需要保存会话,会话使用socks5代理即可无缝ssh到线上服务器。

今天来发现无法登陆服务器,但是ssh *** -f -N ****@**** 建立后台socks的方式并不会把密码过期的问题暴露出来,经过多次尝试,手动登陆服务器才发现用于登陆服务器的密码已过期。

手动更新密码后问题恢复。

解决问题

由于这一批服务器都存在密码过期的问题,所以打算尝试使用 Ansible 来批量登陆服务器更新密码。

https://github.com/ansible/ansible/issues/1619 受到国外大神的解答,尝试进行处理。

使用 Ansible expect 模块来进行处理。

python 需要安装 pexpect 包。
pip install pexpect

正常手动操作的console返回信息如下:

You are required to change your password immediately (password aged)
Last login: Thu Aug 13 11:23:46 2020 from 1*.*.*7
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user sysadmin.
Changing password for sysadmin.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

playbook task 内容:

- name: Set password if expired
  delegate_to: 127.0.0.1
  become: no
  expect:
    command: ssh {{ ansible_ssh_common_args }} {{ ansible_user }}@{{ inventory_hostname }}
    timeout: 10
    responses:
      "password:":
        # we couldn't keep the same old password
        - "{{ ansible_ssh_pass_old }}"
        - "{{ ansible_ssh_pass }}"
        - "{{ ansible_ssh_pass }}"
      # if succesfully login then quit
      "\\~\\]\\$": exit
  register: status
  changed_when: "'authentication tokens updated successfully' in status.stdout"

按照大神的解答,进行尝试过后,发现行不通,提示如下:

You are required to change your password immediately (password aged)
Last login: Thu Aug 13 11:23:46 2020 from 1*.*.*7
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user sysadmin.
Changing password for sysadmin.
(current) UNIX password:
passwd: Authentication token manipulation error

认真理解了一番,发现,reponses里面少了一次键入密码的机会,我的环境是通过密码认证登录的 ,如果是使用秘钥登录,即ansible_ssh_common_args 应配置为秘钥方式,更正后如下:

- name: Set password if expired
  delegate_to: 127.0.0.1
  become: no
  expect:
    command: ssh {{ ansible_ssh_common_args }} {{ ansible_user }}@{{ inventory_hostname }}
    timeout: 10
    responses:
      "(?i)password:":
        # we couldn't keep the same old password
        - "{{ ansible_ssh_pass_old }}"
        - "{{ ansible_ssh_pass_old }}"
        - "{{ ansible_ssh_pass }}"
        - "{{ ansible_ssh_pass }}"
      # if succesfully login then quit
      "\\~\\]\\$": exit
  register: status
  changed_when: "'authentication tokens updated successfully' in status.stdout"

解释:
第一次键入 ansible_ssh_pass_old 为 command ssh 的登录密码。
第二次键入 ansible_ssh_pass_old 为 提示过期输入当前密码。
第三次键入 ansible_ssh_pass 为 新密码。
第四次键入 ansible_ssh_pass 为 确认新密码。

结果测试

ansible-playbook 功能测试结果:

STDOUT:

Warning: Permanently added 'm******o' (ECDSA) to the list of known hosts.
symin@m******o's password:
You are required to change your password immediately (password aged)
Last login: Fri Jul 31 10:46:38 2020 from 1*.*.*.*7
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user sysadmin.
Changing password for sysadmin.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to m*****o closed.

大功告成。

posted @ 2020-08-14 18:19  Professor哥  阅读(1992)  评论(1编辑  收藏  举报