Ansible 1.3:实现基于 ssh_key 的 Ansible 连接

1.3:实现基于 ssh_key 的 Ansible 连接

Ansible控制端对被管理主机的操作是通过SSH连接进行的,需要将Ansible控制端的公钥推送给各被管理主机,实现基于密钥认证的ssh连接。

1.3.1:Ansible 控制端生成密钥对(ssh_keygen)

密钥对的生成使用的是ssh-keygen命令,它是一个密钥生成、管理和转换工具(authentication key generation, management and conversion)。

ssh-keygen命令常用选项:

  • -f filename
    Specifies the filename of the key file.
    指定密钥文件的路径(需要指定文件名,而非目录名)。
    如不指定,密钥文件默认保存到当前用户家目录下的.ssh目录,公钥文件和密钥文件保存在同一目录。
  • -t dsa | ecdsa | ed25519 | rsa
    Specifies the type of key to create. The possible values are “dsa”, “ecdsa”, “ed25519”, or “rsa”.
    指定密钥类型,默认为rsa。
  • -C comment
    Provides a new comment.
    对密钥的注释信息。

这里使用ssh-keygen命令直接创建密钥对:

不加任何选项,一路回车即可。

[root@ansible ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
84:8d:09:92:7a:c6:01:fa:e9:25:04:c9:1b:e7:47:08 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|+Eo.o            |
|o+o+ o =         |
|.o*.. + o        |
|.++o . .         |
| o+ o   S        |
| . o             |
|  .              |
|                 |
|                 |
+-----------------+

1.3.2:向被管理主机推送公钥(ssh-copy-id、sshpass)

向对端推送自己的公钥,使用的命令是:

  1. ssh-copy-id命令(use locally available keys to authorise logins on a remote machine)。

  2. ssh-pass命令,可以在非交互的情况下提供ssh登录密码给后边的命令(noninteractive ssh password provider)。

    sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
    

ssh-copy-id命令常用选项:

  • -i identity_file
    指定公钥文件(通常以.pub结尾,如果不是,则自动为文件名添加.pub)。
    如不指定,则使用默认的公钥文件,默认公钥文件为~/.ssh/id*.pub*为什么取决于使用的密钥类型,比如rsa、dsa等。

  • -n
    do a dry-run. Instead of installing keys on the remote system simply prints the key(s) that would have been installed.
    不真正像对端推送公钥,仅仅验证能否成功推送,并打印使用的公钥。

  • -o ssh_option

    在推送公钥时设置指定的ssh配置项。
    常用的为-o StrictHostKeyChecking=no,这样在首次验证时不用输入yes,可以直接信任对端。

ssh-pass命令主要是在首次验证对端时,以非交互的方式提供对端的ssh密码,这个选项为:

  • -e
    The password is taken from the environment variable “SSHPASS”.
    提前将对端的SSH登录密码保存在SSHPASS变量中,在首次验证对端时就无需输入密码了。

也可以使用expect来实现“yes”和ssh密码的自动输入。

这里提前声明好SSHPASS变量,使用sshpass -e传递密码,再通过ssh-copy-id向192.168.1.105主机推送Ansible控制端的公钥,全程无需进行交互式操作:

[root@ansible ~]# export SSHPASS=123456
[root@ansible ~]# sshpass -e ssh-copy-id  -o StrictHostKeyChecking=no 192.168.1.105    
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '192.168.1.105'"
and check to make sure that only the key(s) you wanted were added.

验证ssh免密登录:

[root@ansible ~]# ssh 192.168.1.105
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
Last login: Sat Apr 24 16:17:55 2021 from 192.168.1.210
root@node105:~# hostname -I
192.168.1.105 

1.3.3:编写批量推送公钥的脚本

通过for循环批量传递被管理主机的IP,实现批量推送公钥(前提是ssh登录密码一致,如果不一致,要按照密码分批次进行)。

#!/bin/bash
# Description: 向被管理主机批量推送管理端ssh公钥
# Variables set
export SSHPASS=123456
Hosts="
192.168.1.111
192.168.1.112"

for i in ${Hosts}; do
        sshpass -e ssh-copy-id  -o StrictHostKeyChecking=no ${i}
done

测试脚本:

[root@ansible ~]# bash key_push.sh 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '192.168.1.111'"
and check to make sure that only the key(s) you wanted were added.

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '192.168.1.112'"
and check to make sure that only the key(s) you wanted were added.

验证ssh登录:

[root@ansible ~]# ssh 192.168.1.111
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
Last login: Fri Apr 23 13:45:30 2021 from 192.168.1.2

root@node111:~# exit
logout
Connection to 192.168.1.111 closed.

[root@ansible ~]# ssh 192.168.1.112
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
Last login: Wed Apr 14 08:31:38 2021 from 192.168.1.2

你可能感兴趣的:(Ansible,ansible,ssh)