ansible推送ssh-key
背景
裸机安装完系统后使用手动方式发送ansible机器的ssh-key到其他主机总是不够方便
想要找到一种更为简便的方式将key推送到其他主机
方案:
- expect + shell
- /etc/ansible/hosts文件中设置密码
- ansible -m ping client
- --ask-pass authorized_key 模块推送公钥
方式一:expect+shell
[root@flask-mysql ansible]# cat send_sshkey.sh
#!/usr/bin/expect
set timeout 10
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.0.0.7
expect {
#first connect, no public key in ~/.ssh/known_hosts
"Are you sure you want to continue connecting (yes/no)?" {
send "yes\r"
expect "password:"
send "123456\r"
}
#already has public key in ~/.ssh/known_hosts
"password:" {
send "123456\r"
}
"Now try logging into the machine" {
#it has authorized, do nothing!
}
}
expect eof
# expect send_sshkey.sh
方式二:/etc/ansible/hosts ansible_ssh_pass
[root@flask-mysql ansible]# cat /etc/ansible/hosts
10.0.0.7 ansible_ssh_port=22 ansible_ssh_user=root ansible_ssh_pass=000000
[root@flask-mysql ansible]# ansible 10.0.0.7 -m ping
10.0.0.7 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Permission denied, please try again.",
"unreachable": true
}
[root@flask-mysql ansible]# vim /etc/ansible/hosts
[root@flask-mysql ansible]# cat /etc/ansible/hosts
10.0.0.7 ansible_ssh_port=22 ansible_ssh_pass=123456 ansible_ssh_user=root
[root@flask-mysql ansible]# ansible 10.0.0.7 -m ping
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 奇葩问题:ansible_ssh_pass 设置是为0开头的密码 就会报错:Invalid/incorrect password: Permission denied, please try again.
方式三:ansible -m copy client --ask-pass
1、 将ansible主机的id_rsa.pub拷贝成authorized_keys
[root@flask-mysql ~]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
2、执行copy模块
[root@flask-mysql ~]# ansible -m copy -a 'src=/root/.ssh/authorized_keys dest=/root/.ssh/authorized_keys backup=yes' 10.0.0.7 --ask-pass
# 操作记录
[root@flask-mysql ~]# ansible -m ping 10.0.0.7
10.0.0.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
[root@flask-mysql ~]# ls /root/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[root@flask-mysql ~]# ansible -m copy -a 'src=/root/.ssh/authorized_keys dest=/root/.ssh/authorized_keys backup=yes' 10.0.0.7 --ask-pass
SSH password:
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"checksum": "77b45a518f90cc6480f4eec0fbfaba6344529bfc",
"dest": "/root/.ssh/authorized_keys",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"path": "/root/.ssh/authorized_keys",
"size": 398,
"state": "file",
"uid": 0
}
[root@flask-mysql ~]# ansible -m ping 10.0.0.7
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
方式四:authorized_key 模块推送公钥
1、创建加密文件
ansible-vault create vault-foo.yml
ansible_ssh_pass: 123456
2、编写send_sshkey.yaml
[root@flask-mysql .ssh]# cat send_sshkey.yaml
- hosts: all
remote_user: root # 连接远程主机的用户,密码就是加密文件中设置好的 ansible_ssh_pass 的值
vars_files:
- vault-foo.yml # 加密文件
tasks:
- name: Set authorized key taken from file
authorized_key: # 发送公钥的模块
user: root # 给这个用户发送公钥
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
3、执行
[root@flask-mysql .ssh]# ansible-playbook send_sshkey.yaml --ask-vault-pass
4、验证
[root@flask-mysql .ssh]# ansible -m ping 10.0.0.7
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
总结
四种方式其实质可以分为两种
- expect + shell
- 密码+模块
- /etc/ansible/hosts+ansible_ssh_pass
- copy +--ask-pass
- authorized_key + lookup file + ansible_ssh_pass
遇到的奇葩问题
方式二:/etc/ansible/hosts+ansible_ssh_pass中
ansible_ssh_pass 设置是为0开头的密码 就会报错:Invalid/incorrect password: Permission denied, please try again.
改为其他密码,比如123456则可以实现。
一个人花在影响自己未来命运的工作选择上的精力,竟比花在购买穿了一年就会扔掉的衣服上的心思要少得多,这是一件多么奇怪的事情,尤其是当他未来的幸福和富足要全部依赖于这份工作时。
