ansible authorized_keys 的问题

Problem with authorized_keys with ansible

关于 .ssh/authorized_keys.

上的权利问题,我正在脑子里打结。

我的 ansible 脚本非常适合在我的服务器上创建我的用户,我只想修改 /home/user/home/user/.ssh 和最后 /home/user.ssh/authorized_keys 的权限,因为它们是默认情况下不正确。 我找不到问题所在。

---
- hosts: all
  become: true
  tasks:
  - name: Creation groupe dev
    group:
      name: dev
      state: present

  - name: Creation des utilisateurs
    user:
      name: "{{ item.path }}"
      group: dev
      state: present
      password: "{{ lookup('password', '/dev/null') |password_hash('sha512') }}"
      update_password: on_create
    with_filetree: xx_pub_keys/

  - name: copie des clés SSH
    authorized_key:
      user: "{{ item.path }}"
      key: "{{ lookup('file', 'xx_pub_keys/' + item.path ) }}"
      state: present
    with_filetree: xx_pub_keys/

  - name: droits repertoires
    command:
      chmod go-w /home/{{ user.path }} && \
      chmod 700 /home/{{ user.path }} && \
      chmod 644 /home/{{ user.path }}/.ssh/authorized_keys

  - name: "Suppression des users eventuels"
    user:
      name: "{{ item.path }}"
      state: absent
      remove: true
    with_filetree: xx_pub_remove/

  - name: Allow admin users to sudo without a password
    lineinfile:
      dest: "/etc/sudoers"
      state: "present"
      regexp: "^%admin"
      line: "%admin ALL=(ALL) NOPASSWD: ALL"

  - name: restart sshd
    service: name=ssh state=restarted ...

所以我在 "directory rights" 部分尝试了 user.pathitem.path,短项目 with_items ... 我不知道...

总之,我赞成任何修正。

提前致谢

如果我查看任务

  - name: droits repertoires
    command:
      chmod go-w /home/{{ user.path }} && \
      chmod 700 /home/{{ user.path }} && \
      chmod 644 /home/{{ user.path }}/.ssh/authorized_keys

如果您稍后将绝对权限设置为 700,则从其他组中删除写权限是没有意义的。换句话说,第一个命令是多余的。

然后如果存在用于此类任务的模块,则始终首选模块而不是命令。所以这里你使用文件模块2次而不是命令模块:

  - name: "check or change /home/{{ user.path }}"
    file:
      path: /home/{{ user.path }}
      state: touch
      mode: '700'
  - name: "check or change /home/{{ user.path }}/.ssh/authorized_keys"
    file:
      path: /home/{{ user.path }}/.ssh/authorized_keys
      state: touch
      mode: '644'