This is the correct way to push public keys in batches. One command to push public keys in batches. The ssh script method is outdated. Ansible is king.

The purpose is to push the public key in batches to any user of the remote server without using the expect program to log in without password, that is, you can do this without using the initialization script, using the ansible module.

The general idea is this:

First create an encrypted file, and edit the variables and values ​​we use (that is, the password of the ssh user name to connect to the remote service) to this encrypted file. Let ansible use it later to protect our ssh user's password from being leaked.
After using this playbook encrypted files, and the use of the module authorized_keyto the remote host specified by the user authentication public key for transmission.

1. Temporary order method

1 First configure not to detect the host public key of the other party

In ansible.cfgsetting the following file

[defaults]
host_key_checking = False

2 Add the user and password of the remote host to the Ansible list (resource list)

# 远程服务器的 IP 或者可被本机解析的远程服务器的主机名  
127.0.0.1  ansible_ssh_user=test ansible_ssh_pass=123

3 Use authorized_key module to transmit public key

ansible 127.0.0.1 -i hosts -m authorized_key -a "user=test state=present key={
    
    { lookup('file', '/root/.ssh/id_rsa.pub') }}"

Module options:

• user Specify to establish a trust relationship with this user of the remote server
• statePossible values:
  - presentadd the keys
  - absentdelete public
  - key local user's public key, you need to find a public key lookup file to set

The input results are as follows:

[root@VM-0-11-centos ~]# ansible 127.0.0.1 -i hosts -m authorized_key -a "user=test state=present key={
    
    { lookup('file', '/root/.ssh/id_rsa.pub') }}"
127.0.0.1 | CHANGED => {
    
    
    "ansible_facts": {
    
    
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": true,
    "comment": null,
    "exclusive": false,
    "follow": false,
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCa91G2W5TcCUl10XAepJo8UNgj08RcyzUh3/FCPP1sM/0ZdZhRwB2wERJ7l9iZgzHEHgMm3VzOsjC+5Fme5Gtnbj187is9fFBKK1yWFUmmsEcfQLAUAdWq4zn2TkcHGnRLbHpDeZ+kNXZVe9UkSPCUTvfeoMo0cxnFdYkcJuKhX82V6YZctm3ltgx9mtLwEkj5mO1KCvtof2cEoDHwoQ+iFH4gNQ0rysGhADgKbGYnCTG64Kmw4yvsmHUOhEixU7B+Ff4lNauUATyR0whh4gXpUYR7VdnbZ3UnfYAd8QKIICrvYLM8EwEBcoZ3erAejq+/l7ckYx9bZrMBJfe+m/9d root@VM-0-11-centos",
    "key_options": null,
    "keyfile": "/home/test/.ssh/authorized_keys",
    "manage_dir": true,
    "path": null,
    "state": "present",
    "user": "test",
    "validate_certs": true
}

4 test

[root@VM-0-11-centos ~]# ansible 127.0.0.1 -i hosts -m ping
127.0.0.1 | SUCCESS => {
    
    
    "ansible_facts": {
    
    
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
}

Two, playbook method

When using the playbook to push the public key, you can also encrypt the password of the remote host.

1 Create an encrypted file

Use ansible-vault createcommand to create an encrypted file through.
You are prompted to enter the password to decrypt the encrypted file, enter the password twice, invokes the default vieditor to edit this file, then you may need to write the data encryption and other variables in this file, save and exit after finishing OK.

Command to create encrypted file:

[root@qfedu ~]# ansible-vault create vault-foo.yml
New Vault password:                         # 输入解密这个这文件的密码
Confirm New Vault password:            # 再次确认密码

Edit content:

ansible_ssh_pass: upsa

Verify encryption:

[root@xiuyun ~]# cat vault-foo.yml
$ANSIBLE_VAULT;1.1;AES256
36643038636237353237313537366136633865346165336366346530326633343530306637666262
3839353230363763376438396438393538343065363564370a343163306161643063333239306537
66616562613931396338336437656237366261376235326265383334363462646262303864633864
3962353863656633360a343863613337643239633136663631636462613132613763393638353866
35653661326264656130323165663031653430383934623135633539643661333434

2 Use this encrypted file in the playbook

playbook

[root@qfedu ~]# cat send-pubkey.yml
- hosts: all
  remote_user: root   # 连接远程主机的用户，密码就是加密文件中设置好的 ansible_ssh_pass 的值
  vars_files:
    - foo.yml    # 加密文件
  tasks:
  - name: Set authorized key taken from file
    authorized_key:    # 发送公钥的模块
      user: root            # 给这个用户发送公钥
      state: present
      key: "{
    
    { lookup('file', '/root/.ssh/id_rsa.pub') }}"    # 发送本地用户的公钥路径

3 Execute the playbook

You need to use the --ask-vault-passparameter to specify the password to decrypt it

ansible-playbook -i hosts send-pubkey.yml --limit dbservers --ask-vault-pass
Vault password:

Can also be in ansible.cfgthe configuration file DEFAULT_VAULT_PASSWORD_FILEvalues point to a file, the file is saved in a password to decrypt

vault_password_file = /path/to/vault_password_file

Do not use this playbook execution --ask-vault-passparameters of the

[root@xiuyun ~]# ansible-playbook -i hosts send-pubkey.yml --limit dbservers

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
ok: [172.18.0.3]

TASK [Set authorized key taken from file] **************************************
changed: [172.18.0.3]

PLAY RECAP *********************************************************************
172.18.0.3                 : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

4 verification

[root@xiuyun ~]# ssh [email protected]  "hostname -i;ls ~/.ssh"
172.18.0.3
authorized_keys

5 Modify the content of the encrypted file

You can edit this encrypted file again

You need to provide the password to decrypt the encrypted file, which is the password you entered when creating it

[root@qfedu ~]# ansible-vault edit vault-foo.yml
Vault password:    

You can continue to edit this file: