Ansible授权密钥模块无法读取公共密钥 [英] Ansible authorized key module unable to read public key
问题描述
我正在尝试使用ansible(2.1.2.0版)在我们的服务器网络上创建命名的ssh访问.从跳转框中运行ansible,我正在创建一组用户,并使用users模块创建一个私钥/公钥对.
I'm trying to use ansible (version 2.1.2.0) to create named ssh access across our network of servers. Running ansible from a jump box I'm creating a set of users and creating a private/public key pair with the users module
- user:
name: "{{ item }}"
shell: /bin/bash
group: usergroup
generate_ssh_key: yes
ssh_key_comment: "ansible-generated for {{ item }}"
with_items: "{{ list_of_usernames }}"
我要从那里跨公钥复制到每个远程服务器上的authorized_users文件.我正在使用 authorized_key_module 来获取并复制用户生成的公共密钥作为authenticate_key在远程服务器上:
From there I would like to copy across the public key to the authorized_users file on each remote server. I'm using the authorized_key_module to fetch and copy the user's generated public key as the authorized_key on the remote servers:
- authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
with_items:
- "{{ list_of_usernames }}"
我发现的是查找失败,因为它无法访问用户.ssh文件夹中的pub文件.但是,如果我以root用户身份运行ansible(对我来说,这不是我愿意采取的选择),它将很高兴地运行.
What I'm finding is that the lookup will fail as it is unable to access the pub file within the user's .ssh folder. It will run happily however if I run ansible as the root user (which for me is not an option I'm willing to take).
fatal: [<ipAddress>]: FAILED! => {"failed": true, "msg": "{{ lookup('file', '/home/testuser/.ssh/id_rsa.pub') }}: the file_name '/home/testuser/.ssh/id_rsa.pub' does not exist, or is not readable"}
除了以root身份运行ansible之外,还有其他更好的方法吗?
Is there a better way to do this other than running ansible as root?
对不起,我忘了提到我正在跑步时变得:是
Sorry I had forgotten to mention that I'm running with become: yes
编辑#2:以下是我要运行的精简版剧本,当然在这种情况下,它将向本地主机添加authorized_key,但显示了我面临的错误:
Edit #2: Below is a condensed playbook of what I'm trying to run, of course in this instance it'll add the authorized_key to the localhost but shows the error I'm facing:
---
- hosts: all
become: yes
vars:
active_users: ['user1','user2']
tasks:
- group:
name: "users"
- user:
name: "{{ item }}"
shell: /bin/bash
group: users
generate_ssh_key: yes
with_items: "{{ active_users }}"
- authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
become: yes
become_user: "{{ item }}"
with_items:
- "{{ active_users }}"
推荐答案
好的,问题出在查找插件上.
它在Ansible控制主机上执行,具有运行ansible-playbook
和become: yes
的用户权限而不提升插件的权限.
OK, the problem is with lookup plugin.
It is executed on ansible control host with permissions of user that run ansible-playbook
and become: yes
don't elevate plugins' permissions.
要解决此问题,请捕获user
任务的结果并将其输出用于其他任务:
To overcome this, capture result of user
task and use its output in further tasks:
- user:
name: "{{ item }}"
shell: /bin/bash
group: docker
generate_ssh_key: yes
ssh_key_comment: "ansible-generated for {{ item }}"
with_items:
- ansible5
- ansible6
register: new_users
become: yes
- debug: msg="user {{ item.item }} pubkey {{ item.ssh_public_key }}"
with_items: "{{ new_users.results }}"
尽管您需要委派一些任务,但想法是相同的.
Although you need to delegate some of this tasks, the idea will be the same.
这篇关于Ansible授权密钥模块无法读取公共密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!