我正在构建一个完整的解决方案,使用 bash 脚本和 Ansible playbook 设置和强化我们的 vps (ubuntu 22.04)。我想做的是:
- 创建具有 sudo 权限的自定义组“sudogroup”
- 在此组中创建新用户“sudouser”
- 使用密钥对与该用户建立安全 SSH 连接
- 以“sudouser”而不是“root”身份执行我的 Ansible 剧本
我用以下方法做这个bash 脚本:
#------------------------------------------------------------------------------
# Prepare Vars
#------------------------------------------------------------------------------
# Remote Server Machine
IPSERVER="XXX.XXX.XXX.XXX"
ROOTUSER_NAME="root"
ROOTUSER_PASSWORD="password1"
#------------------------------------------------------------------------------
# Sudo Group & User
SUDOGROUP="sudogroup"
SUDOUSER_NAME="sudouser"
SUDOUSER_PASSWORD="password2"
#------------------------------------------------------------------------------
# SSH Connections
SSHROOTPASS=$ROOTUSER_PASSWORD
SSHCRYPTALGO="ecdsa" # rsa (regular) - dsa (not recommanded) - ecdsa (best)
SSHCRYPTBYTES="521" # Strongest: [rsa : 4096] - [dsa: 1024] - [ecdsa: 521]
SSHFILENAME="id_$SSHCRYPTALGO"
#------------------------------------------------------------------------------
# SSH Connections
SSHCRYPTALGO="ecdsa" # rsa (regular) - dsa (not recommanded) - ecdsa (best)
SSHCRYPTBYTES="521" # rsa : 4096 - dsa: 1024 - ecdsa: 521
SSHPORT="22"
SSHROOTCONN="$ROOTUSER_NAME@$IPSERVER"
SSHROOTPASS=$ROOTUSER_PASSWORD
SSHROOTOPTIONS="-p $SSHPORT -tt -o StrictHostKeyChecking=no -o BatchMode=no"
SSHROOTFILENAME="id_$SSHCRYPTALGO"
SSHADMCONN="$SUDOUSER_NAME@$IPSERVER"
SSHADMPASS=$SUDOUSER_PASSWORD
SSHADMFILENAME="id_"$SSHCRYPTALGO"_"$SUDOUSER_NAME
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Create a hidden [/home/$SUDOUSER_NAME/.ssh] directory to store SSL keys
sudo mkdir -p ~/.ssh
sudo chmod 700 ~/.ssh
#------------------------------------------------------------------------------
# Register Remote Server IP in known hosts
sudo ssh-keyscan -H $IPSERVER >> ~/.ssh/known_hosts
#------------------------------------------------------------------------------
# Create a new SUDO privileged users group & new User on remote server
#------------------------------------------------------------------------------
sshpass -p "$SSHROOTPASS" ssh $SSHROOTOPTIONS $SSHROOTCONN "bash -s" << ENDSSH01
stty -echo
# Backup [sudoers] configuration file to recover, just in case
cp --archive /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S")
#------------------------------------------------------------------------------
# Create a new group of users
groupadd $SUDOGROUP
#------------------------------------------------------------------------------
# Add [$SUDOGROUP] to [sudoers] configuration file
echo "%$SUDOGROUP ALL=(ALL:ALL) ALL" >> /etc/sudoers
#------------------------------------------------------------------------------
# Create a new sudo User named [$SUDOUSER_NAME]
useradd -m -s /bin/bash -g $SUDOGROUP $SUDOUSER_NAME
#------------------------------------------------------------------------------
# Set password of the new sudo User named [$SUDOUSER_NAME]
echo "$SUDOUSER_NAME:$SUDOUSER_PASSWORD" | chpasswd
#------------------------------------------------------------------------------
stty echo
exit
ENDSSH01
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Setup SSH Connection between local Client and remote Server
#------------------------------------------------------------------------------
# Create SSH Keys pair for [sudouser]
sudo ssh-keygen -t $SSHCRYPTALGO -b $SSHCRYPTBYTES -N "" -f ~/.ssh/$SSHADMFILENAME <<< y
sudo ssh-copy-id -i ~/.ssh/$SSHADMFILENAME.pub $SUDOUSER_NAME@$IPSERVER -o StrictHostKeyChecking=no
#------------------------------------------------------------------------------
# Send a PING to the remote server to check SSH Connection to [sudouser]
sudo ansible all -i inventory -m ping --private-key=~/.ssh/$SSHADMFILENAME
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Execute Ansible Playbook to setup remote Ubuntu 18/20/22 Remote Server
#------------------------------------------------------------------------------
sudo ansible-playbook -i inventory setup_server.yml --private-key=~/.ssh/$SSHADMFILENAME
#------------------------------------------------------------------------------
这Ansible 库存文件:
[OURVPS]
195.179.193.224
这Ansible 剧本开始如下:
#------------------------------------------------------------------------------
# ANSIBLE PLAYBOOK
#------------------------------------------------------------------------------
- name: SETUP UBUNTU 22.04 SERVER / VPS
hosts: OURVPS
remote_user: sudouser
become: yes
become_method: sudo
#------------------------------------------------------------------------------
vars:
#------------------------------------------------------------------------------
# Disable strict host key checking when connecting to remote hosts via SSH
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
...
#------------------------------------------------------------------------------
tasks:
#------------------------------------------------------------------------------
...
bash 脚本正确执行(组和用户正确设置),没有错误,直到它尝试执行 ansible playbook。
这平命令返回:
XXX.XXX.XXX.XXX | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
然后我总是收到同样的错误:
fatal: [XXX.XXX.XXX.XXX]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: [email protected]: Permission denied (publickey,password).", "unreachable": true}
我已经尝试过的:
手动连接:=> 工作正常:建立连接!
ssh [email protected]手动连接:=> 工作正常:建立连接!
ssh -o 'StrictHostKeyChecking=no' [email protected]
为什么这个 ansible playbook 拒绝正确执行???
如果我可以手动连接,那么为什么 Ansible 不能自动连接???
附言:这个问题可能与其他问题重复,但我没有得到任何与我的情况相匹配的积极见解。
答案1
好的,我找到了解决方案:我将以下两个变量添加到我的 Ansible 剧本中:
vars:
ansible_ssh_private_key_file: "/root/.ssh/id_ecdsa_sudouser"
ansible_sudo_pass: "password2"
现在,ansible playbook 可以正确运行,没有错误......