我正在建立一個完整的解決方案,使用 bash 腳本和 Ansible 劇本來設定和強化我們的 vps (ubuntu 22.04)。我想做的是:
- 建立具有 sudo 權限的自訂群組“sudogroup”
- 在此群組中建立新使用者“sudouser”
- 使用金鑰對與該用戶建立安全 SSH 連接
- 以「sudouser」而非「root」身分執行我的 Ansible playbook
我正在使用以下方法執行此操作bash腳本:
#------------------------------------------------------------------------------
# Prepare Vars
#------------------------------------------------------------------------------
# Remote Server Machine
IPSERVER="XXX.XXX.XXX.XXX"
ROOTUSER_NAME="root"
ROOTUSER_PASSWORD="password1"
#------------------------------------------------------------------------------
# Sudo Group & User
SUDOGROUP="sudogroup"
SUDOUSER_NAME="sudouser"
SUDOUSER_PASSWORD="password2"
#------------------------------------------------------------------------------
# SSH Connections
SSHROOTPASS=$ROOTUSER_PASSWORD
SSHCRYPTALGO="ecdsa" # rsa (regular) - dsa (not recommanded) - ecdsa (best)
SSHCRYPTBYTES="521" # Strongest: [rsa : 4096] - [dsa: 1024] - [ecdsa: 521]
SSHFILENAME="id_$SSHCRYPTALGO"
#------------------------------------------------------------------------------
# SSH Connections
SSHCRYPTALGO="ecdsa" # rsa (regular) - dsa (not recommanded) - ecdsa (best)
SSHCRYPTBYTES="521" # rsa : 4096 - dsa: 1024 - ecdsa: 521
SSHPORT="22"
SSHROOTCONN="$ROOTUSER_NAME@$IPSERVER"
SSHROOTPASS=$ROOTUSER_PASSWORD
SSHROOTOPTIONS="-p $SSHPORT -tt -o StrictHostKeyChecking=no -o BatchMode=no"
SSHROOTFILENAME="id_$SSHCRYPTALGO"
SSHADMCONN="$SUDOUSER_NAME@$IPSERVER"
SSHADMPASS=$SUDOUSER_PASSWORD
SSHADMFILENAME="id_"$SSHCRYPTALGO"_"$SUDOUSER_NAME
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Create a hidden [/home/$SUDOUSER_NAME/.ssh] directory to store SSL keys
sudo mkdir -p ~/.ssh
sudo chmod 700 ~/.ssh
#------------------------------------------------------------------------------
# Register Remote Server IP in known hosts
sudo ssh-keyscan -H $IPSERVER >> ~/.ssh/known_hosts
#------------------------------------------------------------------------------
# Create a new SUDO privileged users group & new User on remote server
#------------------------------------------------------------------------------
sshpass -p "$SSHROOTPASS" ssh $SSHROOTOPTIONS $SSHROOTCONN "bash -s" << ENDSSH01
stty -echo
# Backup [sudoers] configuration file to recover, just in case
cp --archive /etc/sudoers /etc/sudoers-COPY-$(date +"%Y%m%d%H%M%S")
#------------------------------------------------------------------------------
# Create a new group of users
groupadd $SUDOGROUP
#------------------------------------------------------------------------------
# Add [$SUDOGROUP] to [sudoers] configuration file
echo "%$SUDOGROUP ALL=(ALL:ALL) ALL" >> /etc/sudoers
#------------------------------------------------------------------------------
# Create a new sudo User named [$SUDOUSER_NAME]
useradd -m -s /bin/bash -g $SUDOGROUP $SUDOUSER_NAME
#------------------------------------------------------------------------------
# Set password of the new sudo User named [$SUDOUSER_NAME]
echo "$SUDOUSER_NAME:$SUDOUSER_PASSWORD" | chpasswd
#------------------------------------------------------------------------------
stty echo
exit
ENDSSH01
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Setup SSH Connection between local Client and remote Server
#------------------------------------------------------------------------------
# Create SSH Keys pair for [sudouser]
sudo ssh-keygen -t $SSHCRYPTALGO -b $SSHCRYPTBYTES -N "" -f ~/.ssh/$SSHADMFILENAME <<< y
sudo ssh-copy-id -i ~/.ssh/$SSHADMFILENAME.pub $SUDOUSER_NAME@$IPSERVER -o StrictHostKeyChecking=no
#------------------------------------------------------------------------------
# Send a PING to the remote server to check SSH Connection to [sudouser]
sudo ansible all -i inventory -m ping --private-key=~/.ssh/$SSHADMFILENAME
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Execute Ansible Playbook to setup remote Ubuntu 18/20/22 Remote Server
#------------------------------------------------------------------------------
sudo ansible-playbook -i inventory setup_server.yml --private-key=~/.ssh/$SSHADMFILENAME
#------------------------------------------------------------------------------
這Ansible 庫存文件:
[OURVPS]
195.179.193.224
這Ansible 手冊像這樣開始:
#------------------------------------------------------------------------------
# ANSIBLE PLAYBOOK
#------------------------------------------------------------------------------
- name: SETUP UBUNTU 22.04 SERVER / VPS
hosts: OURVPS
remote_user: sudouser
become: yes
become_method: sudo
#------------------------------------------------------------------------------
vars:
#------------------------------------------------------------------------------
# Disable strict host key checking when connecting to remote hosts via SSH
ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
...
#------------------------------------------------------------------------------
tasks:
#------------------------------------------------------------------------------
...
bash 腳本正確執行(群組和使用者已正確設定),沒有錯誤,直到它嘗試執行 ansible playbook。
這平命令返回:
XXX.XXX.XXX.XXX | SUCCESS => {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python3"
},
"changed": false,
"ping": "pong"
}
然後,我總是收到相同的錯誤:
fatal: [XXX.XXX.XXX.XXX]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: [email protected]: Permission denied (publickey,password).", "unreachable": true}
我已經嘗試過的:
手動連線:=> 運作正常:連線已建立!
ssh [email protected]手動連線:=> 運作正常:連線已建立!
ssh -o 'StrictHostKeyChecking=no' [email protected]
為什麼這個 ansible 劇本拒絕正確執行?
如果我可以手動連接,那麼為什麼 Ansible 不能自動連接?
PS:這個問題可能與其他可用問題重複,但我沒有得到任何與我的案例相符的正面見解。
答案1
好的,我找到了解決方案:我將以下兩個變數新增到我的 Ansible 劇本中:
vars:
ansible_ssh_private_key_file: "/root/.ssh/id_ecdsa_sudouser"
ansible_sudo_pass: "password2"
現在,ansible playbook 可以正確運行,沒有錯誤...