Ansible 安装与ssh密钥配置

目录

环境

系统 IP 名称 ROOT密码
CentOS7.6 10.22.86.71 管理机 666666
CentOS7.6 10.22.86.72 被控机 666666
CentOS7.6 10.22.86.73 被控机 666666
CentOS7.6 10.22.86.74 被控机 666666

安装

# yum源
[root@localhost ~]# cat /etc/yum.repos.d/epel.repo 
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.aliyun.com/epel/7/$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
 
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://mirrors.aliyun.com/epel/7/$basearch/debug
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
 
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://mirrors.aliyun.com/epel/7/SRPMS
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0

# 管理机安装ansible
yum -y install ansible

配置SSH密钥

[root@localhost ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:G/0ENgVRPBWXkOwW27IF0Bhq4dwCQzzEUtTYhUw/RKo root@localhost.localdomain
The key's randomart image is:
+---[RSA 2048]----+
|      BB*o*@Oo=.o|
|     . ===Boo* o |
|      . .B++..=  |
|        oo.o.= o |
|       ES . o +  |
|         o o .   |
|        .   .    |
|                 |
|                 |
+----[SHA256]-----+

[root@Ansible1 ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.22.86.72
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.22.86.72's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.22.86.72'"
and check to make sure that only the key(s) you wanted were added.

[root@Ansible1 ~]# ssh root@10.22.86.72
Last login: Mon May 29 08:54:22 2023 from 10.22.86.71

[root@Ansible2 ~]# exit
logout
Connection to 10.22.86.72 closed.

如果生成的密钥对不是默认的密钥名称,需要如下操作

# 假设生产的密钥对是id_rsa_test2
[root@Ansible1 ~]# ssh-keygen -f ~/.ssh/id_rsa_test2 -P'123456'
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/id_rsa_test2.
Your public key has been saved in /root/.ssh/id_rsa_test2.pub.
The key fingerprint is:
SHA256:ceWJTlaka6ejFgsmk+d7lpDmNRx0P7DYI3ZglBCv9Tw root@Ansible1
The key's randomart image is:
+---[RSA 2048]----+
|      o+.. .+    |
|       .= o* .   |
|       o+=*+o    |
|       o=O=.o    |
|     ..+S+E...   |
|    + B =. +     |
|     O + =o      |
|      o *. .     |
|      .=.        |
+----[SHA256]-----+

[root@Ansible1 ~]# ssh-copy-id -i ~/.ssh/id_rsa_test2.pub root@10.22.86.72
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa_test2.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.22.86.72'"
and check to make sure that only the key(s) you wanted were added.

[root@Ansible1 ~]# ssh -i ~/.ssh/id_rsa_test2 root@10.22.86.72
Enter passphrase for key '/root/.ssh/id_rsa_test2': 
Enter passphrase for key '/root/.ssh/id_rsa_test2': 
Last login: Mon May 29 09:16:39 2023 from 10.22.86.71

[root@Ansible2 ~]# whoami
root
[root@Ansible2 ~]# exit
logout
Connection to 10.22.86.72 closed.
  • 这样每次链接都需要输入密码,可以将密钥添到密钥列表
[root@Ansible1 ~]# ssh-add -L
Error connecting to agent: No such file or directory
[root@Ansible1 ~]# ssh-agent bash
[root@Ansible1 ~]# ssh-add /root/.ssh/id_rsa
id_rsa            id_rsa.pub        id_rsa_test1      id_rsa_test1.pub  id_rsa_test2      id_rsa_test2.pub  
[root@Ansible1 ~]# ssh-add /root/.ssh/id_rsa_test2
Enter passphrase for /root/.ssh/id_rsa_test2: 
Identity added: /root/.ssh/id_rsa_test2 (/root/.ssh/id_rsa_test2)
[root@Ansible1 ~]# ssh -i ~/.ssh/id_rsa_test2 root@10.22.86.72
Last login: Mon May 29 09:21:30 2023 from 10.22.86.71
[root@Ansible2 ~]# exit
logout
Connection to 10.22.86.72 closed.
[root@Ansible1 ~]# ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJEbWuNRbCMDXsmEipNPTkEguviH5RN1SGdugRnSeDnH3h1fq7pj2YXQdfWxmj9TTDFuu035OXc47o7SXh6CliqgBbXCdBb7qB9hxGttM8WVayCh4mIpBdYBxzYWZ4sUGschd86+vk4eG3pczFKhbEa1ukXK2llJGCckNQqtLJzd1NBAy+fGfs/F6J3xlPWeswJCeXSjnhy8Ng4hTPzY0aITpzu7jtFydLn3zfFkb+WavYbAZyzrFhL2kiBITUrdlzOV2QXKsH+fcPnPGbCr/r8UKnPJm9qLZj8RPCelntbKVTfzDzuQdFXe8iTKf5gaeipm0EnwnOMU99UqfHu9jL /root/.ssh/id_rsa_test2

ssh-agent 总结

启动ssh-agent
方式一:创建子shell,在子shell中运行ssh-agent进程,退出子shell自动结束代理。
ssh-agent $SHELL

方式二:单独启动一个代理进程,退出当前shell时最好使用ssh-agent -k关闭对应代理
eval `ssh-agent`
 

关闭ssh-agent
ssh-agent -k
 

将私钥添加到ssh代理
ssh-add ~/.ssh/key_name
 

查看代理中的私钥
ssh-add -l
 

查看代理中的私钥对应的公钥
ssh-add -L
 

移除指定的私钥
ssh-add -d /path/of/key/key_name
 

移除代理中的所有私钥
ssh-add -D
 

锁定ssh代理
锁定时需要指定锁定密码,锁定后的ssh代理暂时不能帮助我们管理私钥
ssh-add -x
 

解锁ssh代理
解锁时需要输入创建锁时设定的密码,解锁后ssh代理可正常工作
ssh-add -X

密钥对详解

[root@Ansible1 ~]# cat /data/ansible/hosts 
[web]
10.22.86.72 ansible_ssh_private_key_file="~/.ssh/id_rsa_test2"
[web2]
10.22.86.73 ansible_ssh_private_key_file="~/.ssh/id_rsa_test3"
[mysql]
10.22.86.74
  • 需要指定密钥对时,需要加参数ansible_ssh_private_key_file
  • 当密钥对设置了密码时(id_rsa_test2,密码设置的是123456),需要将私钥添加到ssh代理ssh-add ~/.ssh/id_rsa_test2
  • 当密钥对无密码时(id_rsa_test3),不需要添加。

批量分发

#!/bin/bash
#批量分发的ip地址
ip_list="
72
73
74
"
#指定创建在家目录 
ssh-keygen -f /root/.ssh/id_rsa -P ''

for ip in $ip_list
do
    sshpass -p666666 ssh-copy-id -i ~/.ssh/id_rsa.pub  -o  StrictHostKeyChecking=no root@10.22.86.$ip 
done

分发密钥

[root@Ansible1 ~]# ssh-copy-id -i ~/.ssh/id_rsa_test2.pub root@10.22.86.72
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa_test2.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.22.86.72'"
and check to make sure that only the key(s) you wanted were added.

[root@Ansible1 ~]# ssh-add /root/.ssh/id_rsa_test2
Enter passphrase for /root/.ssh/id_rsa_test2: 
Identity added: /root/.ssh/id_rsa_test2 (/root/.ssh/id_rsa_test2)


[root@Ansible1 ~]# ssh-copy-id -i ~/.ssh/id_rsa_test3.pub root@10.22.86.73
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa_test3.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.22.86.73'"
and check to make sure that only the key(s) you wanted were added.

测试

[root@Ansible1 ~]# ansible web -i /data/ansible/hosts -m ping
10.22.86.72 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}
[root@Ansible1 ~]# ansible web2 -i /data/ansible/hosts -m ping
10.22.86.73 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    }, 
    "changed": false, 
    "ping": "pong"
}


### 查看执行详细信息 参数 -vvv
posted @ 2023-05-29 21:07  Rocky_940120  阅读(1497)  评论(0)    收藏  举报