一,ansible的authorized_key模块的用途
用来配置密钥实现免密登录:
ansible所在的主控机生成密钥后,如何把公钥上传到受控端?
当然可以用ssh-copy-id命令逐台手动处理,如果受控端机器数量不多当然没问题,
但如果机器数量较多,有几十几百台时,手动处理的效率就成为问题。
authorized_key模块就用来把公钥上传到各台服务器实现免密登录
二,authorized_key的使用例子:
1,在hosts中增加一个段:
ils
121.122.123.87:12888 ansible_ssh_user=webop ansible_ssh_pass="weboppass"
121.122.123.88:12888 ansible_ssh_user=webop ansible_ssh_pass="weboppass"
121.122.123.89:12888 ansible_ssh_user=webop ansible_ssh_pass="weboppass"
批量上传公钥
"user=webop state=present key='{{ lookup('file', '/home/liuhongdi/.ssh/id_rsa.pub') }}'"root@centos8 ~ # ansible ils -m authorized_key -a
出现报错:
121.122.123.87 | FAILED! =>
"msg""Using a SSH password instead of a key is not possible because Host Key checking is enabled and sshpass does not support this.
Please add this host's fingerprint to your known_hosts file to manage this host."
问题的原因:
ssh第一次连接的时候一般会提示fingerprint key字符串,需要输入yes 进行确认.
确认后会把key字符串加入到 ~/.ssh/known_hosts 文件中
解决办法:
修改ansible的配置文件:
[root@centos8 ~]# vi /etc/ansible/ansible.cfg
把这一行的注释去掉:
host_key_checking = False
说明:这一行的作用:
uncomment this to disable SSH key host checking
用来禁止ssh的指纹key字串检查
2,再次上传公钥到服务器:
"user=webop state=present key='{{ lookup('file', '/home/liuhongdi/.ssh/id_rsa.pub') }}'"root@centos8 ~ # ansible ils -m authorized_key -a
121.122.123.87 | CHANGED =>
成功了
手动测试一下:看ssh到目标服务器是否还需要输入密码?
[root@centos8 ~]# ssh -p 12888 webop@121.122.123.87
三,查看ansible版本
[root@centos8 liuhongdi]# ansible --version
ansible 2.9.5
playbook得写法:
---
name Public key is deployed to managed hosts for ansible
hosts server
tasks
name Ensure key is in user's ~/.ssh/authorized_hosts
authorized_key
user qiaolei
state present #absent 取消免密
key"{{ lookup('file', '/home/user/.ssh/id_rsa.pub') }}" #本地公钥文件