背景
裸机安装完系统后使用手动方式发送ansible机器的ssh-key到其他主机总是不够方便
想要找到一种更为简便的方式将key推送到其他主机
方案:
- expect + shell
- /etc/ansible/hosts文件中设置密码
- ansible -m ping client
- –ask-pass authorized_key 模块推送公钥
方式一:expect+shell
[root@flask-mysql ansible]# cat send_sshkey.sh
#!/usr/bin/expect
set timeout 10
spawn ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.0.0.7
expect {
#first connect, no public key in ~/.ssh/known_hosts
"Are you sure you want to continue connecting (yes/no)?" {
send "yes\r"
expect "password:"
send "123456\r"
}
#already has public key in ~/.ssh/known_hosts
"password:" {
send "123456\r"
}
"Now try logging into the machine" {
#it has authorized, do nothing!
}
}
expect eof
# expect send_sshkey.sh
方式二:/etc/ansible/hosts ansible_ssh_pass
[root@flask-mysql ansible]# cat /etc/ansible/hosts
10.0.0.7 ansible_ssh_port=22 ansible_ssh_user=root ansible_ssh_pass=000000
[root@flask-mysql ansible]# ansible 10.0.0.7 -m ping
10.0.0.7 | UNREACHABLE! => {
"changed": false,
"msg": "Invalid/incorrect password: Permission denied, please try again.",
"unreachable": true
}
[root@flask-mysql ansible]# vim /etc/ansible/hosts
[root@flask-mysql ansible]# cat /etc/ansible/hosts
10.0.0.7 ansible_ssh_port=22 ansible_ssh_pass=123456 ansible_ssh_user=root
[root@flask-mysql ansible]# ansible 10.0.0.7 -m ping
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
# 奇葩问题:ansible_ssh_pass 设置是为0开头的密码 就会报错:Invalid/incorrect password: Permission denied, please try again.
方式三:ansible -m copy client –ask-pass
1、 将ansible主机的id_rsa.pub拷贝成authorized_keys
[root@flask-mysql ~]# cp /root/.ssh/id_rsa.pub /root/.ssh/authorized_keys
2、执行copy模块
[root@flask-mysql ~]# ansible -m copy -a 'src=/root/.ssh/authorized_keys dest=/root/.ssh/authorized_keys backup=yes' 10.0.0.7 --ask-pass
# 操作记录
[root@flask-mysql ~]# ansible -m ping 10.0.0.7
10.0.0.7 | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
[root@flask-mysql ~]# ls /root/.ssh/
authorized_keys id_rsa id_rsa.pub known_hosts
[root@flask-mysql ~]# ansible -m copy -a 'src=/root/.ssh/authorized_keys dest=/root/.ssh/authorized_keys backup=yes' 10.0.0.7 --ask-pass
SSH password:
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"checksum": "77b45a518f90cc6480f4eec0fbfaba6344529bfc",
"dest": "/root/.ssh/authorized_keys",
"gid": 0,
"group": "root",
"mode": "0644",
"owner": "root",
"path": "/root/.ssh/authorized_keys",
"size": 398,
"state": "file",
"uid": 0
}
[root@flask-mysql ~]# ansible -m ping 10.0.0.7
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
方式四:authorized_key 模块推送公钥
1、创建加密文件
ansible-vault create vault-foo.yml
ansible_ssh_pass: 123456
2、编写send_sshkey.yaml
[root@flask-mysql .ssh]# cat send_sshkey.yaml
- hosts: all
remote_user: root # 连接远程主机的用户,密码就是加密文件中设置好的 ansible_ssh_pass 的值
vars_files:
- vault-foo.yml # 加密文件
tasks:
- name: Set authorized key taken from file
authorized_key: # 发送公钥的模块
user: root # 给这个用户发送公钥
state: present
key: "{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"
3、执行
[root@flask-mysql .ssh]# ansible-playbook send_sshkey.yaml --ask-vault-pass
4、验证
[root@flask-mysql .ssh]# ansible -m ping 10.0.0.7
10.0.0.7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
总结
四种方式其实质可以分为两种
- expect + shell
- 密码+模块
- /etc/ansible/hosts+ansible_ssh_pass
- copy +–ask-pass
- authorized_key + lookup file + ansible_ssh_pass
遇到的奇葩问题
方式二:/etc/ansible/hosts+ansible_ssh_pass中
ansible_ssh_pass 设置是为0开头的密码 就会报错:Invalid/incorrect password: Permission denied, please try again.
改为其他密码,比如123456则可以实现。
原文地址:http://www.cnblogs.com/liushiya/p/16849583.html
1. 本站所有资源来源于用户上传和网络,如有侵权请邮件联系站长!
2. 分享目的仅供大家学习和交流,请务用于商业用途!
3. 如果你也有好源码或者教程,可以到用户中心发布,分享有积分奖励和额外收入!
4. 本站提供的源码、模板、插件等等其他资源,都不包含技术服务请大家谅解!
5. 如有链接无法下载、失效或广告,请联系管理员处理!
6. 本站资源售价只是赞助,收取费用仅维持本站的日常运营所需!
7. 如遇到加密压缩包,默认解压密码为"gltf",如遇到无法解压的请联系管理员!
8. 因为资源和程序源码均为可复制品,所以不支持任何理由的退款兑现,请斟酌后支付下载
声明:如果标题没有注明"已测试"或者"测试可用"等字样的资源源码均未经过站长测试.特别注意没有标注的源码不保证任何可用性