Ansible 授权密钥模块无法读取公钥 [英] Ansible authorized key module unable to read public key
问题描述
我正在尝试使用 ansible(版本 2.1.2.0)在我们的服务器网络中创建命名的 ssh 访问.从跳转框运行 ansible 我正在创建一组用户并使用用户模块创建私钥/公钥对
I'm trying to use ansible (version 2.1.2.0) to create named ssh access across our network of servers. Running ansible from a jump box I'm creating a set of users and creating a private/public key pair with the users module
- user:
name: "{{ item }}"
shell: /bin/bash
group: usergroup
generate_ssh_key: yes
ssh_key_comment: "ansible-generated for {{ item }}"
with_items: "{{ list_of_usernames }}"
从那里我想将公钥复制到每个远程服务器上的 authorized_users 文件.我正在使用 authorized_key_module 来获取和复制用户生成的公钥作为authorized_key在远程服务器上:
From there I would like to copy across the public key to the authorized_users file on each remote server. I'm using the authorized_key_module to fetch and copy the user's generated public key as the authorized_key on the remote servers:
- authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
with_items:
- "{{ list_of_usernames }}"
我发现查找将失败,因为它无法访问用户的 .ssh 文件夹中的 pub 文件.但是,如果我以 root 用户身份运行 ansible(这对我来说不是我愿意接受的选项),它会运行得很愉快.
What I'm finding is that the lookup will fail as it is unable to access the pub file within the user's .ssh folder. It will run happily however if I run ansible as the root user (which for me is not an option I'm willing to take).
fatal: [<ipAddress>]: FAILED! => {"failed": true, "msg": "{{ lookup('file', '/home/testuser/.ssh/id_rsa.pub') }}: the file_name '/home/testuser/.ssh/id_rsa.pub' does not exist, or is not readable"}
除了以 root 身份运行 ansible 之外,还有更好的方法吗?
Is there a better way to do this other than running ansible as root?
对不起,我忘了提到我正在运行:是的
Sorry I had forgotten to mention that I'm running with become: yes
编辑#2:下面是我尝试运行的精简剧本,当然在这种情况下,它会将authorized_key 添加到本地主机,但显示我面临的错误:
Edit #2: Below is a condensed playbook of what I'm trying to run, of course in this instance it'll add the authorized_key to the localhost but shows the error I'm facing:
---
- hosts: all
become: yes
vars:
active_users: ['user1','user2']
tasks:
- group:
name: "users"
- user:
name: "{{ item }}"
shell: /bin/bash
group: users
generate_ssh_key: yes
with_items: "{{ active_users }}"
- authorized_key:
user: "{{ item }}"
state: present
key: "{{ lookup('file', '/home/{{ item }}/.ssh/id_rsa.pub') }}"
become: yes
become_user: "{{ item }}"
with_items:
- "{{ active_users }}"
推荐答案
好的,问题出在lookup插件上.
它在 ansible 控制主机上以运行 ansible-playbook
和 become: yes
的用户权限执行,不提升插件的权限.
OK, the problem is with lookup plugin.
It is executed on ansible control host with permissions of user that run ansible-playbook
and become: yes
don't elevate plugins' permissions.
为了克服这个问题,捕获 user
任务的结果并将其输出用于进一步的任务:
To overcome this, capture result of user
task and use its output in further tasks:
- user:
name: "{{ item }}"
shell: /bin/bash
group: docker
generate_ssh_key: yes
ssh_key_comment: "ansible-generated for {{ item }}"
with_items:
- ansible5
- ansible6
register: new_users
become: yes
- debug: msg="user {{ item.item }} pubkey {{ item.ssh_public_key }}"
with_items: "{{ new_users.results }}"
虽然您需要委派其中一些任务,但思路是一样的.
Although you need to delegate some of this tasks, the idea will be the same.
这篇关于Ansible 授权密钥模块无法读取公钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!