EC2 上的 Ansible 具有 bastionhost 和私钥身份验证以及 Active Directory 验证

EC2 上的 Ansible 具有 bastionhost 和私钥身份验证以及 Active Directory 验证

在我们的设置中,我们必须通过堡垒主机访问 EC2 实例。此堡垒主机连接到 Active Directory,它会验证连接用户的凭据。堡垒主机使用 ssh 密钥建立连接,我不能将其存储在堡垒主机上,而应该将其“转发”。因此,连接方式如下:

A (my PC, has key) ---- aduser/adpass ---> B (bastion host) ---- key ---> C (EC2 target)

apt install ansible我确实使用 Ansible 2.8.1(通过和来自官方 Ubuntu repo)设置了新的 Ubuntu eoan(19.10)服务器。

在我的 ~/ansible 中我创建了两个文件。其中一个是hosts

[gatewayed]
foo1 ansible_host=ip-1-2-3-4.eu-central-1.compute.internal

(IP地址已删除)

另一个group_vars/gatewayed.yml

ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q [email protected]"'

~/.ssh/id_rsa我将私钥复制到其中(chmod并将其编辑为仅供我本人使用),我必须使用它来连接 AWS 上的目标服务器。这是存储在那里的唯一密钥。

当我运行时,ansible -vvvv all -i ~/ansible/hosts -a "uname -a"系统会询问我输入的密码:

[email protected]'s password:

但是连接失败并出现以下输出(取自msg响应字段,已格式化以便于阅读):

"msg": "Failed to connect to the host via ssh: OpenSSH_8.0p1 Ubuntu-6build1, OpenSSL 1.1.1c  28 May 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket \"/home/ubuntu/.ansible/cp/a1ffe79391\" does not exist
debug1: Executing proxy command: exec ssh -W ip-1-2-3-4.eu-central-1.compute.internal:22 -q [email protected]
debug3: timeout: 10000 ms remain after connect
debug1: identity file /home/ubuntu/.ssh/id_rsa type -1
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: identity file /home/ubuntu/.ssh/id_xmss type -1
debug1: identity file /home/ubuntu/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0p1 Ubuntu-6build1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to ip-1-2-3-4.eu-central-1.compute.internal:22 as 'ubuntu'
debug3: hostkeys_foreach: reading file \"/home/ubuntu/.ssh/known_hosts\"
debug3: record_hostkey: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from ip-1-2-3-4.eu-central-1.compute.internal
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: [email protected],zlib,none
debug2: compression stoc: [email protected],zlib,none
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: [email protected]
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: [email protected]
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:szq8W0Cu8dTQwEtiHXPm62EmQZJtUsXkyxulS9UR0zw
debug3: hostkeys_foreach: reading file \"/home/ubuntu/.ssh/known_hosts\"
debug3: record_hostkey: found key type ECDSA in file /home/ubuntu/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from ip-1-2-3-4.eu-central-1.compute.internal
debug1: Host 'ip-1-2-3-4.eu-central-1.compute.internal' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:3
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/ubuntu/.ssh/id_rsa 
debug1: Will attempt key: /home/ubuntu/.ssh/id_dsa 
debug1: Will attempt key: /home/ubuntu/.ssh/id_ecdsa 
debug1: Will attempt key: /home/ubuntu/.ssh/id_ed25519 
debug1: Will attempt key: /home/ubuntu/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: gssapi-keyex,hostbased,publickey
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information\nNo Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\n\n
debug1: Unspecified GSS failure.  Minor code may provide more information\nNo Kerberos credentials available (default cache: FILE:/tmp/krb5cc_1000)\n\n
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: hostbased,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ubuntu/.ssh/id_rsa
debug3: sign_and_send_pubkey: RSA SHA256:nX/Xap0M0+mhKEb+AEYLpsF2qVftrfnelOyNgQGShcw
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Trying private key: /home/ubuntu/.ssh/id_dsa
debug3: no such identity: /home/ubuntu/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/ubuntu/.ssh/id_ecdsa
debug3: no such identity: /home/ubuntu/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/ubuntu/.ssh/id_ed25519
debug3: no such identity: /home/ubuntu/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/ubuntu/.ssh/id_xmss
debug3: no such identity: /home/ubuntu/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true

我尝试了选项-J-A使用 ssh,就像建议的那样这里,但这并没有解决问题。当我使用 Mobaxterm 时,相同的连接在同一台计算机上完美运行,但配置要容易得多(至少对我来说),因为我只需要填写 GUI 中的字段 ;-)

答案1

我通过谷歌搜索找到并整合了几个来源(抱歉,我不记得链接了。如果我记得的话,我会在这里提到它们以表示感谢)。

基本上我删除了gatewayed组和组变量,Ansible 不需要知道是否可以直接访问服务器。

然后我创建了这个~/.ssh/config文件,它适用于 ssh、scp 和 Ansible。在这三个工具中,我只需要指定更容易记住的Host别名:

Host foo1
    User ec2-user
    Hostname ip-1-2-3-4.eu-central-1.compute.internal
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/id_rsa
    ForwardAgent yes
    ProxyCommand ssh jump -W %h:%p

Host jump
    User aduser
    HostName bastion.my.company
    IdentityFile ~/.ssh/id_rsa

对于 Ansible 来说,这非常有效,我可以使用剧本或运行如下临时命令:

ansible aws --ask-pass -i ~/ansible/hosts -a "uname"

在我的场景中,添加这一点很重要,--ask-pass因为只有一个连接由私钥保护,而另一个连接需要密码aduser

相关内容