我使用 Packer 建立了一個 Windows Server 2019 AMI,並使用 Ansible 作為設定程式。
我新增了一個用戶jenkins,並將 SSH 檔案(公鑰/私鑰、known_hosts、authorized_keys)複製到C:\Users\jenkins\.ssh.
這是我的 Ansible 劇本的相關部分:
- name: Ensure user jenkins is present
ansible.windows.win_user:
name: jenkins
password: ***REDACTED***
state: present
groups:
- Users
- name: Create directory structure
ansible.windows.win_file:
path: C:\Temp\
state: directory
- name: Allow write and execute access to User jenkins
ansible.windows.win_acl:
user: jenkins
path: C:\Temp
type: allow
rights: ExecuteFile,Write
- name: Copy SSH keys
ansible.windows.win_copy:
src: ./files/.ssh
dest: C:\Users\jenkins
vars:
ansible_become_user: jenkins
ansible_become_password: ***REDACTED***
# The tmp dir must be set when using win_copy as another user
# This ensures the become user will have permissions for the operation
# Make sure to specify a folder both the ansible_user and the become_user have access to (i.e not %TEMP% which is user specific and requires Admin)
ansible_remote_tmp: C:\Temp
我從此 AMI 啟動一個 EC2 執行個體。
我用 ssh 登入:
ssh -i ~/.ssh/***REDACTED***.pem jenkins@ec2-***REDACTED***.compute.amazonaws.com -vvv
我沒有使用 SSH 金鑰登錄,但可以使用密碼登入。
這是 SSH 調試日誌:
debug3: load_hostkeys: loaded 1 keys from ***REDACTED***
debug1: Host 'ec2-***REDACTED***.compute.amazonaws.com' is known and matches the ECDSA host key.
debug1: Found key in /home/amedee/.ssh/known_hosts:161
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/amedee/.ssh/***REDACTED***.pem explicit
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/amedee/.ssh/***REDACTED***.pem
debug3: sign_and_send_pubkey: RSA SHA256:3OWWXRDheAUWZ9kxRiSJPvwFy1/Nh3//CdbLirDuFSM
debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:3OWWXRDheAUWZ9kxRiSJPvwFy1/Nh3//CdbLirDuFSM
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
jenkins@***REDACTED***.compute.amazonaws.com's password:
然後 Windows 會以這種方式向我打招呼:
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>
所以我不是以 user 登入,jenkins而是以 user登入jenkins.EC2AMAZ-ELNOCH3。
jenkins還存在一個使用者:
jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>dir ..
Volume in drive C has no label.
Volume Serial Number is E43B-9F7E
Directory of C:\Users
12/11/2020 02:19 PM <DIR> .
12/11/2020 02:19 PM <DIR> ..
12/11/2020 01:51 PM <DIR> Administrator
12/11/2020 02:02 PM <DIR> jenkins
12/11/2020 02:22 PM <DIR> jenkins.EC2AMAZ-ELNOCH3
12/12/2018 07:45 AM <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 12,552,163,328 bytes free
它有我使用 Ansible 複製的 SSH 檔案:
jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>dir ..\jenkins\.ssh
Volume in drive C has no label.
Volume Serial Number is E43B-9F7E
Directory of C:\Users\jenkins\.ssh
12/11/2020 02:02 PM <DIR> .
12/11/2020 02:02 PM <DIR> ..
11/13/2020 10:57 AM 1,221 authorized_keys
11/13/2020 10:57 AM 1,675 id_rsa
11/13/2020 10:57 AM 401 id_rsa.pub
11/13/2020 10:57 AM 7,962 known_hosts
4 File(s) 11,259 bytes
2 Dir(s) 12,552,081,408 bytes free
當我嘗試將其附加到使用者名稱後進行 SSH 連線時.EC2AMAZ-ELNOCH3,我無法使用密碼登入:
ssh -i ~/.ssh/***REDACTED***.pem jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com -vvv
.
.
.
debug1: Next authentication method: password
jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com's password:
當我以 user 登入時jenkins.EC2AMAZ-ELNOCH3,我將檔案複製C:\Users\jenkins\.ssh\到C:\Users\jenkins.EC2AMAZ-ELNOCH3\.ssh\並斷開連接。下次我使用 SSH 登入時,無密碼登入可以正常工作,這證明我的 SSH 金鑰是正確的,但位於錯誤的目錄中。
我不希望這個用戶jenkins.EC2AMAZ-ELNOCH3存在。如何確保只有該使用者jenkins存在?
僅供參考,我只熟悉 Linux,所以如果您的答案包含高級 Windows 術語,請詳細說明。我使用的最後一個 Windows 版本是 Windows 3.11。這也是我第一次使用 Ansible 做任何事情,但我非常有信心我理解它的要點。
答案1
jenkins@EC2AMAZ-ELNOCH3jenkins表示您以使用者身分登入機器 EC2AMAZ-ELNOCH3。
C:\Users\jenkins.EC2AMAZ-ELNOCH3表示 Windows 發現登入時該資料夾C:\Users\jenkins已存在,但對於使用者來說不是正確的資料夾jenkins;因此 Windows 必須建立一個新的使用者設定檔資料夾。
bar如果您使用名為 的本機使用者帳戶登入名為 的計算機foo,則您的預設使用者設定檔資料夾將為C:\Users\foo;但如果此資料夾已存在且 Windows 無法將其對應到實際使用者帳戶(無論出於何種原因),它將建立一個新資料夾;為了避免重複的資料夾名稱,Windows 會將電腦名稱附加到其中,因此新的使用者設定檔資料夾將被稱為C:\users\foo.bar.
這與用戶名無關,用戶名仍然是肯定的foo。
至於為什麼會出現這樣的情況,我也不清楚。但這是重複使用者設定檔資料夾的標準 Windows 行為。
答案2
使用社群.windows.win_user_profile– 管理 Windows 使用者設定檔。建立使用者後立即建立主目錄,然後才複製檔案。
在 Ansible 中執行此操作的方法如下:
- name: Ensure user jenkins is present
ansible.windows.win_user:
name: jenkins
password: ***REDACTED***
state: present
groups:
- Users
- name: Create a profile for user jenkins at C:\Users\jenkins
community.windows.win_user_profile:
username: jenkins
name: jenkins
state: present
- name: Create directory structure
ansible.windows.win_file:
path: C:\Temp\
state: directory
- name: Allow write and execute access to User jenkins
ansible.windows.win_acl:
user: jenkins
path: C:\Temp
type: allow
rights: ExecuteFile,Write
- name: Copy SSH keys
ansible.windows.win_copy:
src: ./files/.ssh
dest: C:\Users\jenkins
vars:
ansible_become_user: jenkins
ansible_become_password: ***REDACTED***
# The tmp dir must be set when using win_copy as another user
# This ensures the become user will have permissions for the operation
# Make sure to specify a folder both the ansible_user and the become_user have access to (i.e not %TEMP% which is user specific and requires Admin)
ansible_remote_tmp: C:\Temp