Ansible 1.3：实现基于 ssh_key 的 Ansible 连接

1.3：实现基于 ssh_key 的 Ansible 连接

Ansible控制端对被管理主机的操作是通过SSH连接进行的，需要将Ansible控制端的公钥推送给各被管理主机，实现基于密钥认证的ssh连接。

1.3.1：Ansible 控制端生成密钥对（ssh_keygen）

密钥对的生成使用的是ssh-keygen命令，它是一个密钥生成、管理和转换工具（authentication key generation, management and conversion）。

ssh-keygen命令常用选项：

• -f filename
  Specifies the filename of the key file.
  指定密钥文件的路径（需要指定文件名，而非目录名）。
  如不指定，密钥文件默认保存到当前用户家目录下的.ssh目录，公钥文件和密钥文件保存在同一目录。
• -t dsa | ecdsa | ed25519 | rsa
  Specifies the type of key to create. The possible values are “dsa”, “ecdsa”, “ed25519”, or “rsa”.
  指定密钥类型，默认为rsa。
• -C comment
  Provides a new comment.
  对密钥的注释信息。

这里使用ssh-keygen命令直接创建密钥对：

不加任何选项，一路回车即可。

[root@ansible ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
84:8d:09:92:7a:c6:01:fa:e9:25:04:c9:1b:e7:47:08 root@ansible.yqc.com
The key's randomart image is:
+--[ RSA 2048]----+
|+Eo.o            |
|o+o+ o =         |
|.o*.. + o        |
|.++o . .         |
| o+ o   S        |
| . o             |
|  .              |
|                 |
|                 |
+-----------------+

1.3.2：向被管理主机推送公钥（ssh-copy-id、sshpass）

向对端推送自己的公钥，使用的命令是：

1. ssh-copy-id命令（use locally available keys to authorise logins on a remote machine）。

2. ssh-pass命令，可以在非交互的情况下提供ssh登录密码给后边的命令（noninteractive ssh password provider）。

   sshpass [-ffilename|-dnum|-ppassword|-e] [options] command arguments
   

ssh-copy-id命令常用选项：

• -i identity_file
  指定公钥文件（通常以.pub结尾，如果不是，则自动为文件名添加.pub）。
  如不指定，则使用默认的公钥文件，默认公钥文件为~/.ssh/id*.pub，*为什么取决于使用的密钥类型，比如rsa、dsa等。

• -n
  do a dry-run. Instead of installing keys on the remote system simply prints the key(s) that would have been installed.
  不真正像对端推送公钥，仅仅验证能否成功推送，并打印使用的公钥。

• -o ssh_option

  在推送公钥时设置指定的ssh配置项。
  常用的为-o StrictHostKeyChecking=no，这样在首次验证时不用输入yes，可以直接信任对端。

ssh-pass命令主要是在首次验证对端时，以非交互的方式提供对端的ssh密码，这个选项为：

• -e
  The password is taken from the environment variable “SSHPASS”.
  提前将对端的SSH登录密码保存在SSHPASS变量中，在首次验证对端时就无需输入密码了。

也可以使用expect来实现“yes”和ssh密码的自动输入。

这里提前声明好SSHPASS变量，使用sshpass -e传递密码，再通过ssh-copy-id向192.168.1.105主机推送Ansible控制端的公钥，全程无需进行交互式操作：

[root@ansible ~]# export SSHPASS=123456
[root@ansible ~]# sshpass -e ssh-copy-id  -o StrictHostKeyChecking=no 192.168.1.105    
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '192.168.1.105'"
and check to make sure that only the key(s) you wanted were added.

验证ssh免密登录：

[root@ansible ~]# ssh 192.168.1.105
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
Last login: Sat Apr 24 16:17:55 2021 from 192.168.1.210
root@node105:~# hostname -I
192.168.1.105 

1.3.3：编写批量推送公钥的脚本

通过for循环批量传递被管理主机的IP，实现批量推送公钥（前提是ssh登录密码一致，如果不一致，要按照密码分批次进行）。

#!/bin/bash
# Description: 向被管理主机批量推送管理端ssh公钥
# Variables set
export SSHPASS=123456
Hosts="
192.168.1.111
192.168.1.112"

for i in ${Hosts}; do
        sshpass -e ssh-copy-id  -o StrictHostKeyChecking=no ${i}
done

测试脚本：

[root@ansible ~]# bash key_push.sh 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '192.168.1.111'"
and check to make sure that only the key(s) you wanted were added.

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -o 'StrictHostKeyChecking=no' '192.168.1.112'"
and check to make sure that only the key(s) you wanted were added.

验证ssh登录：

[root@ansible ~]# ssh 192.168.1.111
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
Last login: Fri Apr 23 13:45:30 2021 from 192.168.1.2

root@node111:~# exit
logout
Connection to 192.168.1.111 closed.

[root@ansible ~]# ssh 192.168.1.112
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-55-generic x86_64)
Last login: Wed Apr 14 08:31:38 2021 from 192.168.1.2