The purpose is to push the public key in batches to any user of the remote server without using the expect program to log in without password, that is, you can do this without using the initialization script, using the ansible module.
The general idea is this:
First create an encrypted file, and edit the variables and values we use (that is, the password of the ssh user name to connect to the remote service) to this encrypted file. Let ansible use it later to protect our ssh user's password from being leaked.
After using this playbook encrypted files, and the use of the module authorized_key
to the remote host specified by the user authentication public key for transmission.
1. Temporary order method
1 First configure not to detect the host public key of the other party
In ansible.cfg
setting the following file
[defaults]
host_key_checking = False
2 Add the user and password of the remote host to the Ansible list (resource list)
# 远程服务器的 IP 或者可被本机解析的远程服务器的主机名
127.0.0.1 ansible_ssh_user=test ansible_ssh_pass=123
3 Use authorized_key module to transmit public key
ansible 127.0.0.1 -i hosts -m authorized_key -a "user=test state=present key={
{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
Module options:
user
Specify to establish a trust relationship with this user of the remote serverstate
Possible values:
-present
add the keys
-absent
delete public
- key local user's public key, you need to find a public key lookup file to set
The input results are as follows:
[root@VM-0-11-centos ~]# ansible 127.0.0.1 -i hosts -m authorized_key -a "user=test state=present key={
{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
127.0.0.1 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": null,
"exclusive": false,
"follow": false,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCa91G2W5TcCUl10XAepJo8UNgj08RcyzUh3/FCPP1sM/0ZdZhRwB2wERJ7l9iZgzHEHgMm3VzOsjC+5Fme5Gtnbj187is9fFBKK1yWFUmmsEcfQLAUAdWq4zn2TkcHGnRLbHpDeZ+kNXZVe9UkSPCUTvfeoMo0cxnFdYkcJuKhX82V6YZctm3ltgx9mtLwEkj5mO1KCvtof2cEoDHwoQ+iFH4gNQ0rysGhADgKbGYnCTG64Kmw4yvsmHUOhEixU7B+Ff4lNauUATyR0whh4gXpUYR7VdnbZ3UnfYAd8QKIICrvYLM8EwEBcoZ3erAejq+/l7ckYx9bZrMBJfe+m/9d root@VM-0-11-centos",
"key_options": null,
"keyfile": "/home/test/.ssh/authorized_keys",
"manage_dir": true,
"path": null,
"state": "present",
"user": "test",
"validate_certs": true
}
4 test
[root@VM-0-11-centos ~]# ansible 127.0.0.1 -i hosts -m ping
127.0.0.1 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
Two, playbook method
When using the playbook to push the public key, you can also encrypt the password of the remote host.
1 Create an encrypted file
Use ansible-vault create
command to create an encrypted file through.
You are prompted to enter the password to decrypt the encrypted file, enter the password twice, invokes the default vi
editor to edit this file, then you may need to write the data encryption and other variables in this file, save and exit after finishing OK.
Command to create encrypted file:
[root@qfedu ~]# ansible-vault create vault-foo.yml
New Vault password: # 输入解密这个这文件的密码
Confirm New Vault password: # 再次确认密码
Edit content:
ansible_ssh_pass: upsa
Verify encryption:
[root@xiuyun ~]# cat vault-foo.yml
$ANSIBLE_VAULT;1.1;AES256
36643038636237353237313537366136633865346165336366346530326633343530306637666262
3839353230363763376438396438393538343065363564370a343163306161643063333239306537
66616562613931396338336437656237366261376235326265383334363462646262303864633864
3962353863656633360a343863613337643239633136663631636462613132613763393638353866
35653661326264656130323165663031653430383934623135633539643661333434
2 Use this encrypted file in the playbook
playbook
[root@qfedu ~]# cat send-pubkey.yml
- hosts: all
remote_user: root # 连接远程主机的用户,密码就是加密文件中设置好的 ansible_ssh_pass 的值
vars_files:
- foo.yml # 加密文件
tasks:
- name: Set authorized key taken from file
authorized_key: # 发送公钥的模块
user: root # 给这个用户发送公钥
state: present
key: "{
{ lookup('file', '/root/.ssh/id_rsa.pub') }}" # 发送本地用户的公钥路径
3 Execute the playbook
You need to use the --ask-vault-pass
parameter to specify the password to decrypt it
ansible-playbook -i hosts send-pubkey.yml --limit dbservers --ask-vault-pass
Vault password:
Can also be in ansible.cfg
the configuration file DEFAULT_VAULT_PASSWORD_FILE
values point to a file, the file is saved in a password to decrypt
vault_password_file = /path/to/vault_password_file
Do not use this playbook execution --ask-vault-pass
parameters of the
[root@xiuyun ~]# ansible-playbook -i hosts send-pubkey.yml --limit dbservers
PLAY [all] *********************************************************************
TASK [Gathering Facts] *********************************************************
ok: [172.18.0.3]
TASK [Set authorized key taken from file] **************************************
changed: [172.18.0.3]
PLAY RECAP *********************************************************************
172.18.0.3 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
4 verification
[root@xiuyun ~]# ssh [email protected] "hostname -i;ls ~/.ssh"
172.18.0.3
authorized_keys
5 Modify the content of the encrypted file
You can edit this encrypted file again
You need to provide the password to decrypt the encrypted file, which is the password you entered when creating it
[root@qfedu ~]# ansible-vault edit vault-foo.yml
Vault password:
You can continue to edit this file: