RHEL9.4上安装ansible并实现管理ssh公钥
日期:2024.11.09
起因:手机安装了JuiceSSH,需要向其他主机导入公钥实现远程登录。后续台式机电脑要换,公钥也需要调整。整天把私钥拷来拷去导入总感觉差点意思。本来这个RHEL9就打算做ansible的主控,正好先给搭起来,早建设早享受。
参照:
- 千锋教育RHCE培训课程
- 马哥教育王晓春老师课程
安装ansible
[root@RHEL9 ~]# dnf install ansible -y
rpm -qc 查不到配置文件
[root@RHEL9 ~]# rpm -qc ansible
[root@RHEL9 ~]#
etc目录下找
[root@RHEL9 ~]# cat /etc/ansible/ansible.cfg
# Since Ansible 2.12 (core):
# To generate an example config file (a "disabled" one with all default settings, commented out):
# $ ansible-config init --disabled > ansible.cfg
#
# Also you can now have a more complete file by including existing plugins:
# ansible-config init --disabled -t all > ansible.cfg
# For previous versions of Ansible you can check for examples in the 'stable' branches of each version
# Note that this file was always incomplete and lagging changes to configuration settings
# for example, for 2.9: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
按照说明生成配置文件
[root@RHEL9 ~]# ansible-config init --disabled >> /etc/ansible/ansible.cfg
686行
[root@RHEL9 ~]# wc -l /etc/ansible/ansible.cfg
686 /etc/ansible/ansible.cfg
[root@RHEL9 ~]# awk 'END{print NR}' /etc/ansible/ansible.cfg
686
简单使用,把 第一次连接主机公钥交换时的确认 给取消掉
[root@RHEL9 ~]# awk '/host_key_checking/' /etc/ansible/ansible.cfg
;host_key_checking=True
[root@RHEL9 ~]# sed -Ei.bak 's/;host_key_checking=True/host_key_checking=False/' /etc/ansible/ansible.cfg
[root@RHEL9 ~]# awk '/host_key_checking/' /etc/ansible/ansible.cfg
host_key_checking=False
安装dhcp服务的时候为了测试,已经设置好了10.31.0.0和172.31.0.0两个网段的路由
[root@RHEL9 ~]# ip route
default via 192.168.4.1 dev WANbridge proto static metric 428
192.168.4.0/23 dev WANbridge proto kernel scope link src 192.168.5.253 metric 428
[root@RHEL9 ~]# nmcli connection modify WANbridge +ipv4.routes "10.31.0.0/24 192.168.5.254"
[root@RHEL9 ~]# nmcli connection modify WANbridge +ipv4.routes "172.31.0.0/24 192.168.5.254"
[root@RHEL9 ~]# virsh list
Id Name State
--------------------------
2 ubuntu16 running
3 rocky9 running
4 rhel8 running
[root@RHEL9 ~]# virsh shutdown rhel8
Domain 'rhel8' is being shutdown
[root@RHEL9 ~]# nmcli connection up WANbridge
Connection successfully activated (master waiting for slaves) (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/18)
[root@RHEL9 ~]# ip route
default via 192.168.4.1 dev WANbridge proto static metric 428
10.31.0.0/24 via 192.168.5.254 dev WANbridge proto static metric 428
172.31.0.0/24 via 192.168.5.254 dev WANbridge proto static metric 428
192.168.4.0/23 dev WANbridge proto kernel scope link src 192.168.5.253 metric 428
现有四台主机,本机,RHEL8,ROCKY9,CENTOS7(58.218.XX.X2:22222)配置hosts文件
[root@RHEL9 ~]# cat /etc/ansible/hosts
rhel9 ansible_connection=local
rhel8 ansible_host=192.168.5.254
rocky9 ansible_host=10.31.0.1
centos7 ansible_host=58.218.XX.X2 ansible_port=22222
生成RHEL9的公私钥对
[root@RHEL9 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:QE7FeKhIiTl0dZGd1306L9+KrsFT+YBkJhzlYGvlb0g root@RHEL9
The key's randomart image is:
+---[RSA 3072]----+
|.+ o..oBO.+ . . |
|+ + +++oX . . ..|
| o . .o.= E ..|
| . . o * + .o |
| S o * o |
| . o o. .|
| + .o.|
| o . o|
| .oo .. |
+----[SHA256]-----+
[root@RHEL9 ~]# ls .ssh/
authorized_keys id_rsa id_rsa.pub known_hosts known_hosts.old
将RHEL9的公钥先行导入到CENTOS7上
ssh-copy-id -p 22222 58.218.XX.X2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@58.218.XX.X2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22222' '58.218.XX.X2'"
and check to make sure that only the key(s) you wanted were added.
都能ping通
[root@RHEL9 ~]# ansible all -m ping
rhel9 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
rhel8 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/libexec/platform-python"
},
"changed": false,
"ping": "pong"
}
rocky9 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
centos7 | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"changed": false,
"ping": "pong"
}
将RHEL9,笔记本和手机juicessh的公钥写入一个文件
[root@RHEL9 .ssh]# cat mykeys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDatyT4rkUtIASwqIlM5cHq8A6coBAdJr8FQgy8t2qUL9M/0TjirRX4qORRbJyW6F3nMf94ZIkp15LStcFA8miOpUC/eh6xLof/sHxjTvP06giT3j05w7G2UZlFptflU97flXwsBTD+XAltjpdWDcw0B/ig7NJS6v3zgmhqtnD018tRe9GKLKiEjMmpCmqIBeu+sShWJbhBuGXzETPHSvHZK1kLnVgHWPZ+5dMr/c4djahYMC2NycYtye8+6EaibaIc9DDWz8yRQigQDsFm/PKG+ys9nPYyhEMoW6toiTQKvngvdkVPp3XXF5jakPgFs474AyBlTy0fB5yagLx4C8S9grpbHBEjXSN6Nas/ruPGojjvWZCB13gGkGScuFvkN4KRmlOiRMJGZmy8Jqp3FxCpwkt5fEMHfM0yE+n/hYoW+emJAmKpRIWcmos4vO35XiXai0OAotG/XHaIzAXEsAYaqQSkQLEg2jDQiEbPJH1LXURYAo6NPxynHvZYOve7W8= root@RHEL9
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4eO1CtS30eODMchvV9MDd7opc5B5Q3gDu45mJJxSfNrL9PU17xp0MS+LpXE12Subl4cT566kB2HD2Lu4e7DYBiGSShqQriY+l+f3Tp7/JoDEd9bDZeVsu0henqz7ZBPJ7LQYjC8Kg4VYb5kOJvhm4dqOyT2eyxc9TjXwHXu5vhKMoEluLD3CQu18YTzFsOhpMbes7OvG8pMtFSsEYzRrAUMW0MQ6qhwFfdoXoVolyR66MY8zH/ADjlJI/agQnNnL5/B9ZveseqGJJUvIR6F4GZpLQDJkWcTYupbUt7WpqzJbmms7Ohe5tyKjcQrukwT3IW4iIG6L9mYEC7APOcdfzQ== rsa 2048-082324
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+TIYnhlfBvEx0vZZTJVJBNTICdJ8zK+HsPLYZ+K7poKeTHDgLK+T+tonRoHZJtEVuy4pg/gOnRrAacMtUapmeqBh0ze6Q9jXRMBHdSa4gqnJZYsueNGcDGtElMWMc8epfW9hOI0QCvC+WOp/gfcuzQSdWwbAIPlTwlvcrRCRTXdAgb7/vo7GRphv0+idadENXng4TPsYvGTBfZZ+tRWzAnBkByqrK5oNszhSxTfaE3zG1o1X3UO3EKFMY2L3XVpmXSi7lxOrsjajz/3DsZeppH1mfTAWmoVmKhsRzmcOpC99WTULFSRjt01I1mPtSDmbAV7icrKN5fM9p7DbUUmziQJTY9iEtZ0k7Aqgm2fr3bBjK21Ck9UsDa1QB5+pNsMr+T0kWE6r8MeVrBQEl45WHpXWy5BVbQPO8vZ5AzRA5NEfu1zGCQbUZAINe588TPf0dgIP2jfsKgOwl6BPp86ApKFILjyVG/xrmOUBiFT3PijjIY0ZVXURcCgYuBMPAJk+itDfDSzqrSe9xTQDDI5/qCHgMYwtECd64FVUZstWwgXw6qwSVJzVpgcQfPLWohISHZP0QmD/qj9uVBkMSjn6P167fgUPMxnu602Mtap1ZTe3hX5PEdHSR0r7KRGjHyYSyq8qJ6lZ4mjhdJABsoxmxS5Mzs1DR7aoTPtnSNNYbtQ== JuiceSSH
查看帮助文档,准备把多余的key都移除,只保留上面3个
[root@RHEL9 ~]# ansible-doc authorized_key
- exclusive
Whether to remove all other non-specified keys from the authorized_keys file.
Multiple keys can be specified in a single `key' string value by separating them by newlines.
This option is not loop aware, so if you use `with_' , it will be exclusive per iteration of the
loop.
If you want multiple keys in the file you need to pass them all to `key' in a single batch as
mentioned above.
default: false
type: bool
playbook如下
[root@RHEL9 ~]# cat sshauthorizedkey.yml
---
- name: SSH Authoried Keys
hosts: all
tasks:
- name: Set authorized keys, removing unauthorized keys
ansible.posix.authorized_key:
user: root
key: "{{ lookup('file', '/root/.ssh/mykeys') }}"
state: present
exclusive: true
语法检测--测试--执行
[root@RHEL9 ~]# ansible-playbook --help
--syntax-check perform a syntax check on the playbook, but do not execute it
-C, --check don't make any changes; instead, try to predict some of the changes that may occur
[root@RHEL9 ~]# ansible-playbook --syntax-check sshauthorizedkey.yml
playbook: sshauthorizedkey.yml
测试结果
[root@RHEL9 ~]# ansible-playbook -C sshauthorizedkey.yml
PLAY [SSH Authoried Keys] *********************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************
ok: [rocky9]
ok: [rhel8]
ok: [centos7]
ok: [rhel9]
TASK [Set authorized keys, removing unauthorized keys] ****************************************************************************
changed: [rhel9]
changed: [rocky9]
changed: [rhel8]
changed: [centos7]
PLAY RECAP ************************************************************************************************************************
centos7 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
rhel8 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
rhel9 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
rocky9 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
执行结果
[root@RHEL9 ~]# ansible-playbook sshauthorizedkey.yml
PLAY [SSH Authoried Keys] *********************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************
ok: [centos7]
ok: [rhel9]
ok: [rocky9]
ok: [rhel8]
TASK [Set authorized keys, removing unauthorized keys] ****************************************************************************
changed: [rhel9]
changed: [rhel8]
changed: [rocky9]
changed: [centos7]
PLAY RECAP ************************************************************************************************************************
centos7 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
rhel8 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
rhel9 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
rocky9 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
随便选一个主机看下key
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
WARNING! The remote SSH server rejected X11 forwarding request.
Last login: Fri Nov 22 23:15:33 2024 from 192.168.5.253
[root@ROCKY9 ~]# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA4eO1CtS30eODMchvV9MDd7opc5B5Q3gDu45mJJxSfNrL9PU17xp0MS+LpXE12Subl4cT566kB2HD2Lu4e7DYBiGSShqQriY+l+f3Tp7/JoDEd9bDZeVsu0henqz7ZBPJ7LQYjC8Kg4VYb5kOJvhm4dqOyT2eyxc9TjXwHXu5vhKMoEluLD3CQu18YTzFsOhpMbes7OvG8pMtFSsEYzRrAUMW0MQ6qhwFfdoXoVolyR66MY8zH/ADjlJI/agQnNnL5/B9ZveseqGJJUvIR6F4GZpLQDJkWcTYupbUt7WpqzJbmms7Ohe5tyKjcQrukwT3IW4iIG6L9mYEC7APOcdfzQ== rsa 2048-082324
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDatyT4rkUtIASwqIlM5cHq8A6coBAdJr8FQgy8t2qUL9M/0TjirRX4qORRbJyW6F3nMf94ZIkp15LStcFA8miOpUC/eh6xLof/sHxjTvP06giT3j05w7G2UZlFptflU97flXwsBTD+XAltjpdWDcw0B/ig7NJS6v3zgmhqtnD018tRe9GKLKiEjMmpCmqIBeu+sShWJbhBuGXzETPHSvHZK1kLnVgHWPZ+5dMr/c4djahYMC2NycYtye8+6EaibaIc9DDWz8yRQigQDsFm/PKG+ys9nPYyhEMoW6toiTQKvngvdkVPp3XXF5jakPgFs474AyBlTy0fB5yagLx4C8S9grpbHBEjXSN6Nas/ruPGojjvWZCB13gGkGScuFvkN4KRmlOiRMJGZmy8Jqp3FxCpwkt5fEMHfM0yE+n/hYoW+emJAmKpRIWcmos4vO35XiXai0OAotG/XHaIzAXEsAYaqQSkQLEg2jDQiEbPJH1LXURYAo6NPxynHvZYOve7W8= root@RHEL9
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+TIYnhlfBvEx0vZZTJVJBNTICdJ8zK+HsPLYZ+K7poKeTHDgLK+T+tonRoHZJtEVuy4pg/gOnRrAacMtUapmeqBh0ze6Q9jXRMBHdSa4gqnJZYsueNGcDGtElMWMc8epfW9hOI0QCvC+WOp/gfcuzQSdWwbAIPlTwlvcrRCRTXdAgb7/vo7GRphv0+idadENXng4TPsYvGTBfZZ+tRWzAnBkByqrK5oNszhSxTfaE3zG1o1X3UO3EKFMY2L3XVpmXSi7lxOrsjajz/3DsZeppH1mfTAWmoVmKhsRzmcOpC99WTULFSRjt01I1mPtSDmbAV7icrKN5fM9p7DbUUmziQJTY9iEtZ0k7Aqgm2fr3bBjK21Ck9UsDa1QB5+pNsMr+T0kWE6r8MeVrBQEl45WHpXWy5BVbQPO8vZ5AzRA5NEfu1zGCQbUZAINe588TPf0dgIP2jfsKgOwl6BPp86ApKFILjyVG/xrmOUBiFT3PijjIY0ZVXURcCgYuBMPAJk+itDfDSzqrSe9xTQDDI5/qCHgMYwtECd64FVUZstWwgXw6qwSVJzVpgcQfPLWohISHZP0QmD/qj9uVBkMSjn6P167fgUPMxnu602Mtap1ZTe3hX5PEdHSR0r7KRGjHyYSyq8qJ6lZ4mjhdJABsoxmxS5Mzs1DR7aoTPtnSNNYbtQ== JuiceSSH
浙公网安备 33010602011771号