我想通过 ansible 激活 systemd-homed 主目录,如何以编程方式向 systemd 密码代理提供密码?
看来我不能简单地将密码直接传递给 homectl activate ......
$ echo $PASSWORD | homectl activate $USER
Broadcast message from root@...:
Password entry required for 'Please enter password for user user:' (PID 1319).
Please enter password with the systemd-tty-ask-password-agent tool.
答案1
我没有找到任何方法将密码传递给,homectl unlock但是 ansible 可以提供密码su,提供--login选项以su使其调用 pam,这将依次解锁 systemd 主目录。
当不使用 ansible 时,类似的构造cat "${passwordfile}" | sudo -Siu "${user}" COMMAND应该类似地工作。
在我的 ansible 剧本中,为了防止不必要的卸载和重新安装,我选择在主目录上设置锁定。此外,我还选择在 su 登录 shell 中运行作用于用户主目录的所有命令;嗯嗯:
- name: act in users homedir
become: true
become_user: "{{user.name}}"
become_method: su
become_flags: '--login'
vars:
ansible_become_pass: "{{user.password}}"
block:
- name: lock user dir to prevent home unmount
command: "flock -x -w 10 \"/home/{{user}}\" -c 'sleep 600'"
# ...
always:
- name: Release the lock
command: "killall -u {{user}} flock"
ignore_errors: true
如果您不想成为在 systemd 主目录中执行操作的用户,这可能是一种替代方法:
# Note: The user directory will unmount automatically after 600s.
# Change to 'sleep infinity' if this bothers you.
- name: act in users homedir
block:
- name: lock user dir to prevent home unmount
command: "flock -x -w 10 \"/home/{{user}}\" -c 'sleep 600'"
become: true
become_user: "{{user.name}}"
become_method: su
become_flags: '--login'
vars:
ansible_become_pass: "{{user.password}}"
# ...
always:
- name: Release the lock
command: "killall -u {{user}} flock"
ignore_errors: true
答案2
手动控制...查找--identity...它不接受来自 stdin 的密码,但接受来自 json 文件的哈希值。