目录
ssh免密登录
第一步:
在ansible服务端创建密匙:ssh-keygen
注意:不断回车即可生成密钥
[root@httpd 10.10.10.3]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
01:f0:5a:ef:8f:72:f4:77:b5:f3:37:08:6c:a6:f2:32 root@httpd.test.com
The key's randomart image is:
+--[ RSA 2048]----+
| ... |
| . . |
| o . |
| o . . |
| . S . |
| .. = .|
| ...+ . ...|
| .E.+. ...+.|
| o*... . *|
+-----------------+
[root@httpd 10.10.10.3]# ll /root/.ssh/
-rw-------. 1 root root 1675 Jun 25 13:45 id_rsa
-rw-r--r--. 1 root root 401 Jun 25 13:45 id_rsa.pub
第二步:
复制密钥到客户端上:ssh-copy-id 用户名@主机
[root@httpd 10.10.10.3]# ssh-copy-id root@10.10.10.2
The authenticity of host '10.10.10.2 (10.10.10.2)' can't be established.
ECDSA key fingerprint is 37:f4:17:5a:12:df:eb:4e:46:b8:d9:3e:0d:93:99:4e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.10.10.2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.10.10.2'"
and check to make sure that only the key(s) you wanted were added.
[root@httpd 10.10.10.3]# ssh root@10.10.10.2
Last login: Fri Jun 25 13:21:10 2021 from 10.10.10.3
[root@ansible ~]# ls .ssh/
authorized_keys
authorized_key模块实现
第一步
关闭公钥认证(如果有个主机没有在“known_hosts”中被初始化将会导致在交互使用Ansible或定时执行Ansible时对key信息的确认提示,如下图)
sed -i "s/^#host_key_checking=/host_key_checking = False/" /etc/ansible/ansible.cfg
/etc/ansible/ansible.cfg
# uncomment this to disable SSH key host checking
host_key_checking = False
第二步
在ansible服务端创建密匙:ssh-keygen
注意:不断回车即可生成密钥
第三步
复制密钥到客户端上,并重命名
ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/id_rsa.pub')}}'" -k
[root@ansible ~]# ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/id_rsa.pub')}}'" -k
SSH password:
10.10.10.4 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": null,
"exclusive": false,
"follow": false,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpME9Xik+jjAdN8zz8BUG5uEKAp04DWIonUcTmWtxhhmrsj+Ve/RmoQljBac+UGg82T59qMnzPz9AtlG0A74vFbXjiyTHhfqYJVxHemhDSFH3ennlXiymacyWanNbJYZbDvNyLl1RIktbF+10/l0cGFK0loJF49RUuOmwgvzJ1KRUDJAaAffYiOxCJY/QJzwy6sJ805XfALT5nIro7C/2q3kWaBw2J4KNzdCluHw/AhILV+WsdRNNg1zV1/akR7+ZWCrL0vejvAi2IaIK3ix+SOU5I61XwvCDaZkE3uVNYf6ERoFcV1L6qOzR1nGefOWrgqUaLOjcBp0bxr048cO6v root@ansible.test.com",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": null,
"state": "present",
"user": "root",
"validate_certs": true
}
10.10.10.3 | CHANGED => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": true,
"comment": null,
"exclusive": false,
"follow": false,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpME9Xik+jjAdN8zz8BUG5uEKAp04DWIonUcTmWtxhhmrsj+Ve/RmoQljBac+UGg82T59qMnzPz9AtlG0A74vFbXjiyTHhfqYJVxHemhDSFH3ennlXiymacyWanNbJYZbDvNyLl1RIktbF+10/l0cGFK0loJF49RUuOmwgvzJ1KRUDJAaAffYiOxCJY/QJzwy6sJ805XfALT5nIro7C/2q3kWaBw2J4KNzdCluHw/AhILV+WsdRNNg1zV1/akR7+ZWCrL0vejvAi2IaIK3ix+SOU5I61XwvCDaZkE3uVNYf6ERoFcV1L6qOzR1nGefOWrgqUaLOjcBp0bxr048cO6v root@ansible.test.com",
"key_options": null,
"keyfile": "/root/.ssh/authorized_keys",
"manage_dir": true,
"path": null,
"state": "present",
"user": "root",
"validate_certs": true
}
[root@ansible ~]# ssh root@10.10.10.3
Last login: Fri Jun 25 14:44:15 2021 from 10.10.10.2
[root@httpd ~]# exit
logout
Connection to 10.10.10.3 closed.
[root@ansible ~]# ssh root@10.10.10.4
Last login: Fri Jun 25 14:44:18 2021 from 10.10.10.2
[root@nginx ~]#
authoried_keys模块参数
user:远程主机用户
key:ansible主机上pub密钥存放路径
path:远程主机authorized_keys的存放路径,默认~/.ssh
state:absent,默认present
exclusive:是否移除authorized_keys文件中其它非指定key,默认no
manage_dir: yes,模块会创建目录,以及设置一个已存在目录的拥有者和权限;no,搭配path使用