Use ansible to batch distribute or delete and modify ssh public keys on remote hosts Ansible has a built-in authorized_key module, this module is very useful, we can use this module to remote The ssh public key on the host can be deleted, added or modified in batches. The official website address: http://docs.ansible.com/ansible/latest/modules/authorized_key_module.html#id1 As you can see from the official website, this module is configured in the form of a playbook: There are the following parameters by default, because the official website is arranged in alphabetical order, here we are for a clearer understanding, We change the order of these parameters to the order we want as follows: comment: a comment on the entire file exclusive: Whether to remove other non-specified ssh public keys in the authorized_keys file of the remote host, the default here is no, We generally do not delete other public keys on the remote host here, we can use this command to clear the remote host other ssh public keys on the . key_options: The string appended to the beginning of the public key, which refers to the comment file here. There is no default, so we can leave it blank. validate_certs: Specify whether to perform tls / ssl certificate authentication, the default is open, the function of this parameter here is only in the key parameter It is only valid when it is specified as network transmission. For example, we put the public key on github, and it can be set to on or off by default. close. manage_dir: Specifies whether the module has permissions to manage the directory where the authorized_keys file is located. The default value is yes, which means When the public key is distributed for the first time, the module can automatically create such a directory and file for us, and set the permissions. If we want to specify another directory to store the ssh public key, here this value should be set to yes, and in the following path Specifies the directory of the file where the ssh public key is stored. state: Add the ssh public key to the remote host or delete the corresponding public key on the remote host. The parameter present is to add, and abstract is to delete. key: The path where the local public key is stored user: username of the remote host path: This parameter can be left blank. The default refers to the authorized_keys file under .ssh in the user's home directory on the remote host: 即:(homedir)+/.ssh/authorized_keys Generally, we will only use the last five of these parameters, and manage_dir and path are both set to default values. First we need to modify the inventory file of ansible: the /etc/ansible/ hosts file: Before we pass the key, the format of the host group should be as follows: [unknown] ansible001 ansible_ssh_user=root ansible_ssh_host=123.56.221.190 ansible_ssh_pass="密码" From left to right are: Hostname Username User IP Address User Password that needs to be controlled on the remote host And after we pass the key, the format of the host group should be as follows: [unknown] ansible001 ansible_ssh_host=123.56.221.190 That is to say, the passphrase file is only required for the first transmission of the key, and is never needed again. Before passing the key, we can check whether the remote client already has the authorized_key file: ansible unknown -a "ls /root/.ssh/" Because the users and passwords in the unknown user group already exist, this command can also be executed. An example from an official website: - name: Set authorized key took from file authorized_key: user: charlie state: present key: "{{ lookup('file', '/home/charlie/.ssh/id_rsa.pub') }}" #Here we write a general public key distribution yaml file: vim copy_ssh_public_keys.yaml - name: Set authorized key took from file authorized_key: key: " {{ lookup('file', '/root/.ssh/id_rsa.pub') }} " #Local public key address user: root #Username on the remote service being controlled state: present #The mode is to add a public key Send ssh public key: ansible-playbook /etc/ansible/copy_ssh_public_keys.yaml -f 10 After uploading, check again whether the remote host already has the authorized_key file: ansible unknown -a "ls /root/.ssh/" At this point you should see that the remote host should already have the authorized_key file. At this point, our ssh public key has been distributed. Here we write a few other examples: # 1. Distribute the current ssh public key and clear all previous public keys: - name: Set authorized key took from file authorized_key: exclusive: True #Clear all other public keys before the remote host key: " {{ lookup('file', '/root/.ssh/id_rsa.pub') }} " #Local public key address user: root #Username on the remote service being controlled state: present #The mode is to add a public key # 2. Delete the current ssh public key specified on the remote host: - name: Set authorized key took from file authorized_key: key: " {{ lookup('file', '/root/.ssh/id_rsa.pub') }} " #Local public key address user: root #Username on the remote service being controlled state: absent #Delete the current ssh public key specified on the remote host