Ansible授权密钥模块无法读取公共密钥 [英] Ansible authorized key module unable to read public key

问题描述

我正在尝试使用ansible(2.1.2.0版)在我们的服务器网络上创建命名的ssh访问.从跳转框中运行ansible，我正在创建一组用户，并使用users模块创建一个私钥/公钥对.

I'm trying to use ansible (version 2.1.2.0) to create named ssh access across our network of servers. Running ansible from a jump box I'm creating a set of users and creating a private/public key pair with the users module

  - user:
      name: "{{ item }}"
      shell: /bin/bash
      group: usergroup
      generate_ssh_key: yes
      ssh_key_comment: "ansible-generated for {{ item }}"
    with_items: "{{ list_of_usernames }}"

我要从那里跨公钥复制到每个远程服务器上的authorized_users文件.我正在使用 authorized_key_module 来获取并复制用户生成的公共密钥作为authenticate_key在远程服务器上:

From there I would like to copy across the public key to the authorized_users file on each remote server. I'm using the authorized_key_module to fetch and copy the user's generated public key as the authorized_key on the remote servers:

  - authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
    with_items:
      - "{{ list_of_usernames }}"

我发现的是查找失败，因为它无法访问用户.ssh文件夹中的pub文件.但是，如果我以root用户身份运行ansible(对我来说，这不是我愿意采取的选择)，它将很高兴地运行.

What I'm finding is that the lookup will fail as it is unable to access the pub file within the user's .ssh folder. It will run happily however if I run ansible as the root user (which for me is not an option I'm willing to take).

fatal: [<ipAddress>]: FAILED! => {"failed": true, "msg": "{{ lookup('file', '/home/testuser/.ssh/id_rsa.pub') }}: the file_name '/home/testuser/.ssh/id_rsa.pub' does not exist, or is not readable"}

除了以root身份运行ansible之外，还有其他更好的方法吗?

Is there a better way to do this other than running ansible as root?

对不起，我忘了提到我正在跑步时变得:是

Sorry I had forgotten to mention that I'm running with become: yes

编辑#2:以下是我要运行的精简版剧本，当然在这种情况下，它将向本地主机添加authorized_key，但显示了我面临的错误:

Edit #2: Below is a condensed playbook of what I'm trying to run, of course in this instance it'll add the authorized_key to the localhost but shows the error I'm facing:

---
- hosts: all
  become: yes
  vars:
    active_users: ['user1','user2']
  tasks:

  - group:
      name: "users"

  - user:
      name: "{{ item }}"
      shell: /bin/bash
      group: users
      generate_ssh_key: yes
    with_items: "{{ active_users }}"

  - authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
    become: yes
    become_user: "{{ item }}"
    with_items:
      - "{{ active_users }}"

推荐答案

好的，问题出在查找插件上.
它在Ansible控制主机上执行，具有运行ansible-playbook和become: yes的用户权限而不提升插件的权限.

OK, the problem is with lookup plugin.
It is executed on ansible control host with permissions of user that run ansible-playbook and become: yes don't elevate plugins' permissions.

要解决此问题，请捕获user任务的结果并将其输出用于其他任务:

To overcome this, capture result of user task and use its output in further tasks:

- user:
    name: "{{ item }}"
    shell: /bin/bash
    group: docker
    generate_ssh_key: yes
    ssh_key_comment: "ansible-generated for {{ item }}"
  with_items:
    - ansible5
    - ansible6
  register: new_users
  become: yes

- debug: msg="user {{ item.item }} pubkey {{ item.ssh_public_key }}"
  with_items: "{{ new_users.results }}"

尽管您需要委派一些任务，但想法是相同的.

Although you need to delegate some of this tasks, the idea will be the same.

这篇关于Ansible授权密钥模块无法读取公共密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！