在 Ansible 中处理带有特殊字符的密码 [英] Dealing with a password with special characters in Ansible

问题描述

我正在尝试使用 ansible_ssh_pass 选项运行 ansible playbook 以连接到目标服务器.

I'm trying to run an ansible playbook with the ansible_ssh_pass option to connect to the destination server.

ansible-playbook test-playbook.yml -i hosts -u daniel --extra-vars "{"ansible_ssh_pass":"u5!vuL!<35Lf?<>n'x"}"

问题是密码有特殊字符.我尝试使用保存它.

The problem is that the password has special characters. I tried saving it using.

"password\'s"
"password"
"\"password\""

知道如何保存密码吗?

推荐答案

可能有点晚了，但具体问题的确切解决方案是:

Probably a little late but the exact solution to your specific problem is:

ansible-playbook test-playbook.yml -i hosts -u daniel --extra-vars ansible_ssh_pass=$'"u5!vuL!<35Lf?<>n\'x"'

shell 对 $'<string>' 进行特殊处理并转义内部的单引号(参见反斜杠)

The shell treats $'<string>' specially and escapes the single quote inside (see the backslash)

最外面的双引号是必要的，这样 jinja2 模板引擎就不会在 ansible 内部混淆.

The outermost double quotes are necessary so that jinja2 template engine does not get confused inside ansible.

话虽如此，出于至少两个原因，运行这样的命令是一个很糟糕的主意:

That being said, it is quite a bad idea to run the command like this for at least two reasons:

• 它不安全.任何有权访问计算机上的进程列表或您的 shell 历史记录的人都将能够看到密码.
• 它不灵活.命令行上提供的 Ansible 额外变量具有最高优先级.如果您使用不同的 ssh 密码在清单中添加其他主机，您将无法区分这两个密码.

对于第一个问题，如果您确定只有一台机器(或在任何地方都使用相同的密码)，您可以使用 vars_prompt 以交互方式询问密码，例如 (http://docs.ansible.com/ansible/latest/user_guide/playbooks_prompts.html)

For the first problem, and if you are sure you will only have one machine (or the same password everywhere), you could ask for the password interactively with vars_prompt for example (http://docs.ansible.com/ansible/latest/user_guide/playbooks_prompts.html)

解决这两个问题的最佳方法是使用保管库加密将密码添加到特定主机的清单中.然后，您可以在调用 playbook 时以交互方式 (--ask-vault-pass) 或通过安全性良好的保险库密码文件 (--vault-password-file=) 提供整个保险库密码.

The best approach solving both issues is to add the password using vault encryption to your inventory for the particular host. You then provide the overall vault password interactively (--ask-vault-pass) or through a well secured vault password file (--vault-password-file=) when you call the playbook.

这篇关于在 Ansible 中处理带有特殊字符的密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！