我正在尝试通过 ansible (和 ) 在少数远程服务器上重新生成 ssh 主机密钥ssh-keygen,但文件似乎没有显示出来。剧本运行正常,但远程上的文件没有被更改。
我需要诉诸echo -e黑客技术,因为这些遥控器运行的是 Ubuntu 14.04,并且没有正确的python-pexpect可用版本(根据 ansible)。
我错过了什么?我的剧本和输出如下:
剧本
---
- hosts: all
become: true
gather_facts: false
tasks:
- name: Generate /etc/ssh/ RSA host key
command : echo -e 'y\n'|ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""
register: output
- debug: var=output.stdout_lines
- name: Generate /etc/ssh/ DSA host key
command : echo -e 'y\n'|ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C "" -N ""
register: output
- debug: var=output.stdout_lines
- name: Generate /etc/ssh/ ECDSA host key
command : echo -e 'y\n'|ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C "" -N ""
register: output
- debug: var=output.stdout_lines
输出
$ ansible-playbook ./playbooks/ssh-hostkeys.yml -l myhost.mydom.com,
SUDO password:
PLAY [all] **********************************************************************************************
TASK [Generate /etc/ssh/ RSA host key] ******************************************************************
changed: [myhost.mydom.com]
TASK [debug] ********************************************************************************************
ok: [myhost.mydom.com] => {
"output.stdout_lines": [
"y",
"|ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C -N "
]
}
TASK [Generate /etc/ssh/ DSA host key] ******************************************************************
changed: [myhost.mydom.com]
TASK [debug] ********************************************************************************************
ok: [myhost.mydom.com] => {
"output.stdout_lines": [
"y",
"|ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C -N "
]
}
TASK [Generate /etc/ssh/ ECDSA host key] ****************************************************************
changed: [myhost.mydom.com]
TASK [debug] ********************************************************************************************
ok: [myhost.mydom.com] => {
"output.stdout_lines": [
"y",
"|ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C -N "
]
}
PLAY RECAP **********************************************************************************************
myhost.mydom.com : ok=6 changed=3 unreachable=0 failed=0
答案1
据我所知,您需要将“y”管道传输到 ssh-keygen 的唯一原因是您的命令正在替换现有文件。在我看来,这不是从配置管理工具执行某些操作的好方法。
您应该调整任务以使其具有幂等性。具体来说,如果您将添加creates: filename到命令中,则只有当新密钥尚不存在时才会创建新密钥,而不是每次运行该剧本时都将其替换。
---
- hosts: all
become: true
gather_facts: false
tasks:
- name: Generate /etc/ssh/ RSA host key
command : ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_rsa_key
- name: Generate /etc/ssh/ DSA host key
command : ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_dsa_key
- name: Generate /etc/ssh/ ECDSA host key
command : ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C "" -N ""
args:
creates: /etc/ssh/ssh_host_ecdsa_key
如果出于某种原因您想要替换这些密钥(例如它们太旧或其他原因),您可能需要添加另一个任务来删除它们。这是一个简单的删除
- file:
state: absent:
path: "{{item}}"
loop:
- /etc/ssh/ssh_host_rsa_key
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_ecdsa_key
如果您想删除在特定时间之前生成的文件,您可以使用 stat 模块来检索有关此文件的详细信息,并设置when条件以有选择地删除它们(如果它们早于某个日期或某个时间)。
答案2
使用特殊模块完成此任务:
- name: Generate an OpenSSH keypair with the default values (4096 bits, rsa)
openssh_keypair:
path: /home/youruser/.ssh/id_rsa
owner: youruser
group: youruser
- name: Fix owner of the generated pub key
file:
path: /home/youruser/.ssh/id_rsa.pub
owner: youruser
group: youruser
答案3
答案4
抱歉,但我无法在任务中使用“创建”。我收到以下错误:
ERROR! 'creates' is not a valid attribute for a Task
因此,我使用以下任务:
- name: remove existing ssh_host keys
file: path={{ item }} state=absent
with_items:
- "/etc/ssh/ssh_host_rsa_key"
- "/etc/ssh/ssh_host_dsa_key"
- "/etc/ssh/ssh_host_ecdsa_key"
- name: Generate /etc/ssh/ RSA host key
command : ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C "" -N ""
- name: Generate /etc/ssh/ DSA host key
command : ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C "" -N ""
- name: Generate /etc/ssh/ ECDSA host key
command : ssh-keygen -q -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -C "" -N ""