背景

裸机安装完系统后使用手动方式发送ansible机器的ssh-key到其他主机总是不够方便
想要找到一种更为简便的方式将key推送到其他主机
方案:

  • expect + shell
  • /etc/ansible/hosts文件中设置密码
  • ansible -m ping client
  • –ask-pass authorized_key 模块推送公钥

方式一:expect+shell

[root@flask-mysql ansible]# cat send_sshkey.sh
#!/usr/bin/expect  

set timeout 10  
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.0.0.7
expect {
            #first connect, no public key in ~/.ssh/known_hosts
            "Are you sure you want to continue connecting (yes/no)?" {
            send "yes\r"
            expect "password:"
                send "123456\r"
            }
            #already has public key in ~/.ssh/known_hosts
            "password:" {
                send "123456\r"
            }
            "Now try logging into the machine" {
                #it has authorized, do nothing!
            }
        }
expect eof

# expect send_sshkey.sh

方式二:/etc/ansible/hosts ansible_ssh_pass

[root@flask-mysql ansible]# cat /etc/ansible/hosts 
10.0.0.7 ansible_ssh_port=22  ansible_ssh_user=root ansible_ssh_pass=000000

[root@flask-mysql ansible]# ansible 10.0.0.7 -m ping
10.0.0.7 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Invalid/incorrect password: Permission denied, please try again.", 
    "unreachable": true
}
[root@flask-mysql ansible]# vim /etc/ansible/hosts
[root@flask-mysql ansible]# cat /etc/ansible/hosts
10.0.0.7 ansible_ssh_port=22 ansible_ssh_pass=123456 ansible_ssh_user=root
[root@flask-mysql ansible]# ansible 10.0.0.7 -m ping
10.0.0.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

# 奇葩问题:ansible_ssh_pass 设置是为0开头的密码 就会报错:Invalid/incorrect password: Permission denied, please try again.

方式三:ansible -m copy client –ask-pass

1、 将ansible主机的id_rsa.pub拷贝成authorized_keys
[root@flask-mysql ~]# cp /root/.ssh/id_rsa.pub  /root/.ssh/authorized_keys
2、执行copy模块
[root@flask-mysql ~]# ansible -m copy -a 'src=/root/.ssh/authorized_keys dest=/root/.ssh/authorized_keys backup=yes'  10.0.0.7 --ask-pass

# 操作记录
[root@flask-mysql ~]# ansible -m ping 10.0.0.7 
10.0.0.7 | UNREACHABLE! => {
    "changed": false, 
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", 
    "unreachable": true
}
[root@flask-mysql ~]# ls /root/.ssh/
authorized_keys  id_rsa  id_rsa.pub  known_hosts


[root@flask-mysql ~]# ansible -m copy -a 'src=/root/.ssh/authorized_keys dest=/root/.ssh/authorized_keys backup=yes'  10.0.0.7 --ask-pass
SSH password: 
10.0.0.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "checksum": "77b45a518f90cc6480f4eec0fbfaba6344529bfc", 
    "dest": "/root/.ssh/authorized_keys", 
    "gid": 0, 
    "group": "root", 
    "mode": "0644", 
    "owner": "root", 
    "path": "/root/.ssh/authorized_keys", 
    "size": 398, 
    "state": "file", 
    "uid": 0
}
[root@flask-mysql ~]# ansible -m ping 10.0.0.7 
10.0.0.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

方式四:authorized_key 模块推送公钥

1、创建加密文件
ansible-vault create vault-foo.yml
ansible_ssh_pass: 123456
2、编写send_sshkey.yaml
[root@flask-mysql .ssh]# cat send_sshkey.yaml 
- hosts: all
  remote_user: root   # 连接远程主机的用户,密码就是加密文件中设置好的 ansible_ssh_pass 的值
  vars_files:
    - vault-foo.yml    # 加密文件
  tasks:
  - name: Set authorized key taken from file
    authorized_key:    # 发送公钥的模块
      user: root            # 给这个用户发送公钥
      state: present
      key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"


3、执行
[root@flask-mysql .ssh]# ansible-playbook send_sshkey.yaml  --ask-vault-pass
4、验证
[root@flask-mysql .ssh]# ansible -m ping 10.0.0.7
10.0.0.7 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}

总结

四种方式其实质可以分为两种

  • expect + shell
  • 密码+模块
    • /etc/ansible/hosts+ansible_ssh_pass
    • copy +–ask-pass
    • authorized_key + lookup file + ansible_ssh_pass

遇到的奇葩问题

方式二:/etc/ansible/hosts+ansible_ssh_pass中

ansible_ssh_pass 设置是为0开头的密码 就会报错:Invalid/incorrect password: Permission denied, please try again.
改为其他密码,比如123456则可以实现。

原文地址:http://www.cnblogs.com/liushiya/p/16849583.html

1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长! 2. 分享目的仅供大家学习和交流,请务用于商业用途! 3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入! 4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解! 5. 如有链接无法下载、失效或广告,请联系管理员处理! 6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需! 7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员! 8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载 声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性