ansible--免密

目录

ssh免密登录

authorized_key模块实现

---

ssh免密登录

第一步：

在ansible服务端创建密匙：ssh-keygen 

注意：不断回车即可生成密钥

[root@httpd 10.10.10.3]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
01:f0:5a:ef:8f:72:f4:77:b5:f3:37:08:6c:a6:f2:32 root@httpd.test.com
The key's randomart image is:
+--[ RSA 2048]----+
|    ...          |
|     . .         |
|      o .        |
|     o . .       |
|    .   S .      |
|       ..  =    .|
|       ...+ . ...|
|      .E.+. ...+.|
|       o*... .  *|
+-----------------+
[root@httpd 10.10.10.3]# ll /root/.ssh/
-rw-------. 1 root root 1675 Jun 25 13:45 id_rsa
-rw-r--r--. 1 root root  401 Jun 25 13:45 id_rsa.pub

第二步：

复制密钥到客户端上：ssh-copy-id 用户名@主机

[root@httpd 10.10.10.3]# ssh-copy-id root@10.10.10.2
The authenticity of host '10.10.10.2 (10.10.10.2)' can't be established.
ECDSA key fingerprint is 37:f4:17:5a:12:df:eb:4e:46:b8:d9:3e:0d:93:99:4e.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.10.10.2's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.10.10.2'"
and check to make sure that only the key(s) you wanted were added.

[root@httpd 10.10.10.3]# ssh root@10.10.10.2
Last login: Fri Jun 25 13:21:10 2021 from 10.10.10.3
[root@ansible ~]# ls .ssh/
authorized_keys

---

authorized_key模块实现

第一步

关闭公钥认证（如果有个主机没有在“known_hosts”中被初始化将会导致在交互使用Ansible或定时执行Ansible时对key信息的确认提示，如下图）

sed -i "s/^#host_key_checking=/host_key_checking = False/" /etc/ansible/ansible.cfg

/etc/ansible/ansible.cfg
# uncomment this to disable SSH key host checking
host_key_checking = False

第二步

在ansible服务端创建密匙：ssh-keygen 

注意：不断回车即可生成密钥

第三步

复制密钥到客户端上，并重命名

 ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/id_rsa.pub')}}'" -k

[root@ansible ~]# ansible all -m authorized_key -a "user=root key='{{ lookup('file', '/root/.ssh/id_rsa.pub')}}'" -k 
SSH password: 
10.10.10.4 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "comment": null, 
    "exclusive": false, 
    "follow": false, 
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpME9Xik+jjAdN8zz8BUG5uEKAp04DWIonUcTmWtxhhmrsj+Ve/RmoQljBac+UGg82T59qMnzPz9AtlG0A74vFbXjiyTHhfqYJVxHemhDSFH3ennlXiymacyWanNbJYZbDvNyLl1RIktbF+10/l0cGFK0loJF49RUuOmwgvzJ1KRUDJAaAffYiOxCJY/QJzwy6sJ805XfALT5nIro7C/2q3kWaBw2J4KNzdCluHw/AhILV+WsdRNNg1zV1/akR7+ZWCrL0vejvAi2IaIK3ix+SOU5I61XwvCDaZkE3uVNYf6ERoFcV1L6qOzR1nGefOWrgqUaLOjcBp0bxr048cO6v root@ansible.test.com", 
    "key_options": null, 
    "keyfile": "/root/.ssh/authorized_keys", 
    "manage_dir": true, 
    "path": null, 
    "state": "present", 
    "user": "root", 
    "validate_certs": true
}
10.10.10.3 | CHANGED => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": true, 
    "comment": null, 
    "exclusive": false, 
    "follow": false, 
    "key": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDpME9Xik+jjAdN8zz8BUG5uEKAp04DWIonUcTmWtxhhmrsj+Ve/RmoQljBac+UGg82T59qMnzPz9AtlG0A74vFbXjiyTHhfqYJVxHemhDSFH3ennlXiymacyWanNbJYZbDvNyLl1RIktbF+10/l0cGFK0loJF49RUuOmwgvzJ1KRUDJAaAffYiOxCJY/QJzwy6sJ805XfALT5nIro7C/2q3kWaBw2J4KNzdCluHw/AhILV+WsdRNNg1zV1/akR7+ZWCrL0vejvAi2IaIK3ix+SOU5I61XwvCDaZkE3uVNYf6ERoFcV1L6qOzR1nGefOWrgqUaLOjcBp0bxr048cO6v root@ansible.test.com", 
    "key_options": null, 
    "keyfile": "/root/.ssh/authorized_keys", 
    "manage_dir": true, 
    "path": null, 
    "state": "present", 
    "user": "root", 
    "validate_certs": true
}
[root@ansible ~]# ssh root@10.10.10.3
Last login: Fri Jun 25 14:44:15 2021 from 10.10.10.2
[root@httpd ~]# exit
logout
Connection to 10.10.10.3 closed.
[root@ansible ~]# ssh root@10.10.10.4
Last login: Fri Jun 25 14:44:18 2021 from 10.10.10.2
[root@nginx ~]# 

authoried_keys模块参数

user：远程主机用户

key：ansible主机上pub密钥存放路径

path：远程主机authorized_keys的存放路径，默认~/.ssh

state：absent，默认present

exclusive：是否移除authorized_keys文件中其它非指定key，默认no

manage_dir： yes，模块会创建目录，以及设置一个已存在目录的拥有者和权限；no，搭配path使用