ansible 之 authorized_key

authorized_key

用途:添加或删除指定用户的 SSH 认证的 key

官方文档

[root@ansible ~]# ansible-doc  authorized_key
> AUTHORIZED_KEY    (/usr/lib/python2.7/site-packages/ansible-2.8.0.dev0-py2.7.egg/ansible/modules/system/authorized_key.py)

        Adds or removes SSH authorized keys for particular user accounts

  * This module is maintained by The Ansible Core Team
OPTIONS (= is mandatory):

- comment
        Change the comment on the public key. Rewriting the comment is useful in cases such as fetching it from GitHub or GitLab.
        If no comment is specified, the existing comment will be kept.
        [Default: (null)]
        version_added: 2.4

- exclusive
        Whether to remove all other non-specified keys from the authorized_keys file. Multiple keys can be specified in a single `key' string value by separating them by
        newlines.
        This option is not loop aware, so if you use `with_' , it will be exclusive per iteration of the loop, if you want multiple keys in the file you need to pass them
        all to `key' in a single batch as mentioned above.
        [Default: no]
        type: bool
        version_added: 1.9

- follow
        Follow path symlink instead of replacing it
        [Default: no]
        type: bool
        version_added: 2.7

= key
        The SSH public key(s), as a string or (since 1.9) url (https://github.com/username.keys)


- key_options
        A string of ssh key options to be prepended to the key in the authorized_keys file
        [Default: (null)]
        version_added: 1.4

- manage_dir
        Whether this module should manage the directory of the authorized key file.  If set, the module will create the directory, as well as set the owner and permissions
        of an existing directory. Be sure to set `manage_dir=no' if you are using an alternate directory for authorized_keys, as set with `path', since you could lock
        yourself out of SSH access. See the example below.
        [Default: yes]
        type: bool
        version_added: 1.2

- path
        Alternate path to the authorized_keys file
        [Default: (homedir)+/.ssh/authorized_keys]
        version_added: 1.2

- state
        Whether the given key (with the given key_options) should or should not be in the file
        (Choices: present, absent)[Default: present]

= user
        The username on the remote host whose authorized_keys file will be modified


- validate_certs
        This only applies if using a https url as the source of the keys. If set to `no', the SSL certificates will not be validated.
        This should only set to `no' used on personally controlled sites using self-signed certificates as it avoids verifying the source site.
        Prior to 2.1 the code worked as if this was set to `yes'.
        [Default: yes]
        type: bool
        version_added: 2.1


AUTHOR: Ansible Core Team
        METADATA:
          status:
          - preview
          supported_by: core
        

EXAMPLES:
- name: Set authorized key taken from file
  authorized_key:
    user: charlie
    state: present
    key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"

- name: Set authorized keys taken from url
  authorized_key:
    user: charlie
    state: present
    key: https://github.com/charlie.keys

- name: Set authorized key in alternate location
  authorized_key:
    user: charlie
    state: present
    key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"
    path: /etc/ssh/authorized_keys/charlie
    manage_dir: False

- name: Set up multiple authorized keys
  authorized_key:
    user: deploy
    state: present
    key: '{{ item }}'
  with_file:
    - public_keys/doe-jane
    - public_keys/doe-john

- name: Set authorized key defining key options
  authorized_key:
    user: charlie
    state: present
    key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}"
    key_options: 'no-port-forwarding,from="10.0.1.1"'

- name: Set authorized key without validating the TLS/SSL certificates
  authorized_key:
    user: charlie
    state: present
    key: https://github.com/user.keys
    validate_certs: False

- name: Set authorized key, removing all the authorized keys already set
  authorized_key:
    user: root
    key: '{{ item }}'
    state: present
    exclusive: True
  with_file:
    - public_keys/doe-jane

- name: Set authorized key for user ubuntu copying it from current user
  authorized_key:
    user: ubuntu
    state: present
    key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"

RETURN VALUES:


exclusive:
  description: If the key has been forced to be exclusive or not.
  returned: success
  type: boolean
  sample: False
key:
  description: The key that the module was running against.
  returned: success
  type: string
  sample: https://github.com/user.keys
key_option:
  description: Key options related to the key.
  returned: success
  type: string
  sample: null
keyfile:
  description: Path for authorized key file.
  returned: success
  type: string
  sample: /home/user/.ssh/authorized_keys
manage_dir:
  description: Whether this module managed the directory of the authorized key file.
  returned: success
  type: boolean
  sample: True
path:
  description: Alternate path to the authorized_keys file
  returned: success
  type: string
  sample: null
state:
  description: Whether the given key (with the given key_options) should or should not be in the file
  returned: success
  type: string
  sample: present
unique:
  description: Whether the key is unique
  returned: success
  type: boolean
  sample: false
user:
  description: The username on the remote host whose authorized_keys file will be modified
  returned: success
  type: string
  sample: user
validate_certs:
  description: This only applies if using a https url as the source of the keys. If set to C(no), the SSL certificates will not be validated.
  returned: success
  type: boolean
  sample: true

参数解释

  • comment
    默认值:null
    更改公钥内容,如果 comment 没有指定,则已存在的内容将会保留

  • exclusive
    默认值:no
    类型:bool
    是否从 authorized_keys 的文件中删除其他没有特殊指定的 keys

  • follow
    默认值:no
    类型:bool

= key
The SSH public key(s) , 可以是字符串或 URL(https://github.com/username.keys)

  • key_options
    默认值:null
    附加到 key 中的字符串

  • manage_dir

  • path
    更改 authorized_keys 文件路径

  • state
    默认值:present
    可供选择的参数:presentabsent
    present 添加指定 key 到 authorized_keys 文件中
    absent 从 authorized_keys 文件中移除指定 key

= user
authorized_keys 文件被修改的远程主机用户名

  • validate_certs
posted @ 2018-12-06 11:50  McSiberiaWolf  阅读(556)  评论(0编辑  收藏  举报