Ansible 授权密钥模块无法读取公钥 [英] Ansible authorized key module unable to read public key

问题描述

我正在尝试使用 ansible(版本 2.1.2.0)在我们的服务器网络中创建命名的 ssh 访问.从跳转框运行 ansible 我正在创建一组用户并使用用户模块创建私钥/公钥对

I'm trying to use ansible (version 2.1.2.0) to create named ssh access across our network of servers. Running ansible from a jump box I'm creating a set of users and creating a private/public key pair with the users module

  - user:
      name: "{{ item }}"
      shell: /bin/bash
      group: usergroup
      generate_ssh_key: yes
      ssh_key_comment: "ansible-generated for {{ item }}"
    with_items: "{{ list_of_usernames }}"

从那里我想将公钥复制到每个远程服务器上的 authorized_users 文件.我正在使用 authorized_key_module 来获取和复制用户生成的公钥作为authorized_key在远程服务器上:

From there I would like to copy across the public key to the authorized_users file on each remote server. I'm using the authorized_key_module to fetch and copy the user's generated public key as the authorized_key on the remote servers:

  - authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
    with_items:
      - "{{ list_of_usernames }}"

我发现查找将失败，因为它无法访问用户的 .ssh 文件夹中的 pub 文件.但是，如果我以 root 用户身份运行 ansible(这对我来说不是我愿意接受的选项)，它会运行得很愉快.

What I'm finding is that the lookup will fail as it is unable to access the pub file within the user's .ssh folder. It will run happily however if I run ansible as the root user (which for me is not an option I'm willing to take).

fatal: [<ipAddress>]: FAILED! => {"failed": true, "msg": "{{ lookup('file', '/home/testuser/.ssh/id_rsa.pub') }}: the file_name '/home/testuser/.ssh/id_rsa.pub' does not exist, or is not readable"}

除了以 root 身份运行 ansible 之外，还有更好的方法吗?

Is there a better way to do this other than running ansible as root?

对不起，我忘了提到我正在运行:是的

Sorry I had forgotten to mention that I'm running with become: yes

编辑#2:下面是我尝试运行的精简剧本，当然在这种情况下，它会将authorized_key 添加到本地主机，但显示我面临的错误:

Edit #2: Below is a condensed playbook of what I'm trying to run, of course in this instance it'll add the authorized_key to the localhost but shows the error I'm facing:

---
- hosts: all
  become: yes
  vars:
    active_users: ['user1','user2']
  tasks:

  - group:
      name: "users"

  - user:
      name: "{{ item }}"
      shell: /bin/bash
      group: users
      generate_ssh_key: yes
    with_items: "{{ active_users }}"

  - authorized_key:
      user: "{{ item }}"
      state: present
      key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
    become: yes
    become_user: "{{ item }}"
    with_items:
      - "{{ active_users }}"

推荐答案

好的，问题出在lookup插件上.
它在 ansible 控制主机上以运行 ansible-playbook 和 become: yes 的用户权限执行，不提升插件的权限.

OK, the problem is with lookup plugin.
It is executed on ansible control host with permissions of user that run ansible-playbook and become: yes don't elevate plugins' permissions.

为了克服这个问题，捕获 user 任务的结果并将其输出用于进一步的任务:

To overcome this, capture result of user task and use its output in further tasks:

- user:
    name: "{{ item }}"
    shell: /bin/bash
    group: docker
    generate_ssh_key: yes
    ssh_key_comment: "ansible-generated for {{ item }}"
  with_items:
    - ansible5
    - ansible6
  register: new_users
  become: yes

- debug: msg="user {{ item.item }} pubkey {{ item.ssh_public_key }}"
  with_items: "{{ new_users.results }}"

虽然您需要委派其中一些任务，但思路是一样的.

Although you need to delegate some of this tasks, the idea will be the same.

这篇关于Ansible 授权密钥模块无法读取公钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！