ansible authorized_keys 的问题
Problem with authorized_keys with ansible
关于 .ssh/authorized_keys
.
上的权利问题,我正在脑子里打结。
我的 ansible 脚本非常适合在我的服务器上创建我的用户,我只想修改 /home/user
、/home/user/.ssh
和最后 /home/user.ssh/authorized_keys
的权限,因为它们是默认情况下不正确。
我找不到问题所在。
---
- hosts: all
become: true
tasks:
- name: Creation groupe dev
group:
name: dev
state: present
- name: Creation des utilisateurs
user:
name: "{{ item.path }}"
group: dev
state: present
password: "{{ lookup('password', '/dev/null') |password_hash('sha512') }}"
update_password: on_create
with_filetree: xx_pub_keys/
- name: copie des clés SSH
authorized_key:
user: "{{ item.path }}"
key: "{{ lookup('file', 'xx_pub_keys/' + item.path ) }}"
state: present
with_filetree: xx_pub_keys/
- name: droits repertoires
command:
chmod go-w /home/{{ user.path }} && \
chmod 700 /home/{{ user.path }} && \
chmod 644 /home/{{ user.path }}/.ssh/authorized_keys
- name: "Suppression des users eventuels"
user:
name: "{{ item.path }}"
state: absent
remove: true
with_filetree: xx_pub_remove/
- name: Allow admin users to sudo without a password
lineinfile:
dest: "/etc/sudoers"
state: "present"
regexp: "^%admin"
line: "%admin ALL=(ALL) NOPASSWD: ALL"
- name: restart sshd
service: name=ssh state=restarted ...
所以我在 "directory rights" 部分尝试了 user.path
,item.path
,短项目 with_items
...
我不知道...
总之,我赞成任何修正。
提前致谢
如果我查看任务
- name: droits repertoires
command:
chmod go-w /home/{{ user.path }} && \
chmod 700 /home/{{ user.path }} && \
chmod 644 /home/{{ user.path }}/.ssh/authorized_keys
如果您稍后将绝对权限设置为 700,则从其他组中删除写权限是没有意义的。换句话说,第一个命令是多余的。
然后如果存在用于此类任务的模块,则始终首选模块而不是命令。所以这里你使用文件模块2次而不是命令模块:
- name: "check or change /home/{{ user.path }}"
file:
path: /home/{{ user.path }}
state: touch
mode: '700'
- name: "check or change /home/{{ user.path }}/.ssh/authorized_keys"
file:
path: /home/{{ user.path }}/.ssh/authorized_keys
state: touch
mode: '644'
关于 .ssh/authorized_keys
.
我的 ansible 脚本非常适合在我的服务器上创建我的用户,我只想修改 /home/user
、/home/user/.ssh
和最后 /home/user.ssh/authorized_keys
的权限,因为它们是默认情况下不正确。
我找不到问题所在。
---
- hosts: all
become: true
tasks:
- name: Creation groupe dev
group:
name: dev
state: present
- name: Creation des utilisateurs
user:
name: "{{ item.path }}"
group: dev
state: present
password: "{{ lookup('password', '/dev/null') |password_hash('sha512') }}"
update_password: on_create
with_filetree: xx_pub_keys/
- name: copie des clés SSH
authorized_key:
user: "{{ item.path }}"
key: "{{ lookup('file', 'xx_pub_keys/' + item.path ) }}"
state: present
with_filetree: xx_pub_keys/
- name: droits repertoires
command:
chmod go-w /home/{{ user.path }} && \
chmod 700 /home/{{ user.path }} && \
chmod 644 /home/{{ user.path }}/.ssh/authorized_keys
- name: "Suppression des users eventuels"
user:
name: "{{ item.path }}"
state: absent
remove: true
with_filetree: xx_pub_remove/
- name: Allow admin users to sudo without a password
lineinfile:
dest: "/etc/sudoers"
state: "present"
regexp: "^%admin"
line: "%admin ALL=(ALL) NOPASSWD: ALL"
- name: restart sshd
service: name=ssh state=restarted ...
所以我在 "directory rights" 部分尝试了 user.path
,item.path
,短项目 with_items
...
我不知道...
总之,我赞成任何修正。
提前致谢
如果我查看任务
- name: droits repertoires
command:
chmod go-w /home/{{ user.path }} && \
chmod 700 /home/{{ user.path }} && \
chmod 644 /home/{{ user.path }}/.ssh/authorized_keys
如果您稍后将绝对权限设置为 700,则从其他组中删除写权限是没有意义的。换句话说,第一个命令是多余的。
然后如果存在用于此类任务的模块,则始终首选模块而不是命令。所以这里你使用文件模块2次而不是命令模块:
- name: "check or change /home/{{ user.path }}"
file:
path: /home/{{ user.path }}
state: touch
mode: '700'
- name: "check or change /home/{{ user.path }}/.ssh/authorized_keys"
file:
path: /home/{{ user.path }}/.ssh/authorized_keys
state: touch
mode: '644'