一,ansible的authorized_key模块的用途

用来配置密钥实现免密登录:

ansible所在的主控机生成密钥后,如何把公钥上传到受控端?

当然可以用ssh-copy-id命令逐台手动处理,如果受控端机器数量不多当然没问题,

但如果机器数量较多,有几十几百台时,手动处理的效率就成为问题。

authorized_key模块就用来把公钥上传到各台服务器实现免密登录

二,authorized_key的使用例子:

1,在hosts中增加一个段:


[ils]
121.122.123.87:12888 ansible_ssh_user=webop ansible_ssh_pass="weboppass"
121.122.123.88:12888 ansible_ssh_user=webop ansible_ssh_pass="weboppass" 
121.122.123.89:12888 ansible_ssh_user=webop ansible_ssh_pass="weboppass"

批量上传公钥

[root@centos8 ~]# ansible ils -m authorized_key -a "user=webop state=present key='{{ lookup('file', '/home/liuhongdi/.ssh/id_rsa.pub') }}'"

出现报错:

121.122.123.87 | FAILED! => {
    "msg": "Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this. 
            Please add this host's fingerprint to your known_hosts file to manage this host."
}

问题的原因:

ssh第一次连接的时候一般会提示fingerprint key字符串,需要输入yes 进行确认.

确认后会把key字符串加入到 ~/.ssh/known_hosts 文件中

解决办法:

修改ansible的配置文件:

[root@centos8 ~]# vi /etc/ansible/ansible.cfg

把这一行的注释去掉: 

host_key_checking = False

说明:这一行的作用:

uncomment this to disable SSH key host checking

用来禁止ssh的指纹key字串检查

2,再次上传公钥到服务器:

[root@centos8 ~]# ansible ils -m authorized_key -a "user=webop state=present key='{{ lookup('file', '/home/liuhongdi/.ssh/id_rsa.pub') }}'"
121.122.123.87 | CHANGED => {

成功了

手动测试一下:看ssh到目标服务器是否还需要输入密码?

[root@centos8 ~]# ssh -p 12888 webop@121.122.123.87

三,查看ansible版本

[root@centos8 liuhongdi]# ansible --version

ansible 2.9.5


playbook得写法:

---
- name: Public key is deployed to managed hosts for ansible
  hosts: server

  tasks:
          - name: Ensure key is in user's ~/.ssh/authorized_hosts
            authorized_key:
                    user: qiaolei
                    state: present   #absent 取消免密
                    key: "{{ lookup('file', '/home/user/.ssh/id_rsa.pub') }}" #本地公钥文件