Ansible - 在playbook执行期间更改SSH用户

4
我是一个新手,对于ansible不太了解,希望有人可以帮助我进行配置。 我有多个服务器的清单。这些服务器的SSH访问是使用PEM密钥文件保护的。
我有一个playbook,并想要将ansible ssh用户(默认为devops)更改为root,如果远程主机上不存在用户devops。使用用户名和密码登录root帐户。
这是我的playbook:
- name: Deploy "devops" user on my_new_hosts
  hosts: my_new_hosts
  gather_facts: false

tasks: 
  - name: Test User "devops"
    local_action: "command ssh -q -o BatchMode=yes -o ConnectTimeout=3 {{ inventory_hostname }} 'echo ok'"
    register: test_devops
    ignore_errors: true
    changed_when: false

  - name: Create User "devops"
    remote_user: "{{ test_devops | success | ternary(omit, 'root') }}"
    user:
      name: "devops"
      update_password: on_create
      groups: "sudo"
      append: yes
      shell: "/bin/bash"
      skeleton: "/etc/skel"
      create_home: yes

我按照这篇文章的说明进行操作:Ansible: Check if my user exists on remote host, else use root user to connect with ssh 我使用本地ssh-agent来保存我的devops用户的密码。如何强制要求root用户输入密码?
    TASK [Create User "devops"] ****************************************************
    task path: /etc/ansible/playbooks/cms_deploy_user_devops_with_root.yml:13
    Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/system/user.py
    <my-host> ESTABLISH SSH CONNECTION FOR USER: root
    <my-host> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/devops/.ansible/cp/ansible-ssh-%h-%p-%r my-host '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1529062422.28-123292817615678 `" && echo ansible-tmp-1529062422.28-123292817615678="` echo ~/.ansible/tmp/ansible-tmp-1529062422.28-123292817615678 `" ) && sleep 0'"'"''
    fatal: [my-host]: UNREACHABLE! => {
        "changed": false,
        "unreachable": true
    }

    MSG:

    Failed to connect to the host via ssh: OpenSSH_7.4p1 Raspbian-10+deb9u3, OpenSSL 1.0.2l  25 May 2017
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: auto-mux: Trying existing master
    debug1: Control socket "/home/devops/.ansible/cp/ansible-ssh-my-host-22-root" does not exist
    debug2: resolving "my-host" port 22
    debug2: ssh_connect_direct: needpriv 0
    debug1: Connecting to my-host [192.168.xx.xx] port 22.
    debug2: fd 3 setting O_NONBLOCK
    debug1: fd 3 clearing O_NONBLOCK
    debug1: Connection established.
    debug3: timeout: 10000 ms remain after connect
    debug1: identity file /home/devops/.ssh/id_rsa type 1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
    debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10 pat OpenSSH_6.6.1* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to my-host:22 as 'root'
    debug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:5
    debug3: load_hostkeys: loaded 1 keys from my-host
    debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
    debug3: send packet: type 20
    debug1: SSH2_MSG_KEXINIT sent
    debug3: receive packet: type 20
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
    debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: zlib@openssh.com,zlib,none
    debug2: compression stoc: zlib@openssh.com,zlib,none
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: MACs ctos: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: MACs stoc: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: compression ctos: none,zlib@openssh.com
    debug2: compression stoc: none,zlib@openssh.com
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
    debug3: send packet: type 30
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug3: receive packet: type 31
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:frX/+3pJF0LBtAnLE0j3rIbXOC/bGIsUflTcwQWBrHA
    debug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:5
    debug3: load_hostkeys: loaded 1 keys from my-host
    debug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:6
    debug3: load_hostkeys: loaded 1 keys from 192.168.xx.xx
    debug1: Host 'my-host' is known and matches the ECDSA host key.
    debug1: Found key in /home/devops/.ssh/known_hosts:5
    debug3: send packet: type 21
    debug2: set_newkeys: mode 1
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug3: receive packet: type 21
    debug1: SSH2_MSG_NEWKEYS received
    debug2: set_newkeys: mode 0
    debug1: rekey after 134217728 blocks
    debug2: key: /home/devops/.ssh/id_rsa (0x1d17d58), agent
    debug2: key: /home/devops/.ssh/id_dsa ((nil))
    debug2: key: /home/devops/.ssh/id_ecdsa ((nil))
    debug2: key: /home/devops/.ssh/id_ed25519 ((nil))
    debug3: send packet: type 5
    debug3: receive packet: type 6
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug3: send packet: type 50
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug3: start over, passed a different list publickey,password
    debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /home/devops/.ssh/id_rsa
    debug3: send_pubkey_test
    debug3: send packet: type 50
    debug2: we sent a publickey packet, wait for reply
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /home/devops/.ssh/id_dsa
    debug3: no such identity: /home/devops/.ssh/id_dsa: No such file or directory
    debug1: Trying private key: /home/devops/.ssh/id_ecdsa
    debug3: no such identity: /home/devops/.ssh/id_ecdsa: No such file or directory
    debug1: Trying private key: /home/devops/.ssh/id_ed25519
    debug3: no such identity: /home/devops/.ssh/id_ed25519: No such file or directory
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied (publickey,password).

有人能帮我或解释一下我的谬误在哪里吗?


谢谢你的提示。我会进行更改。 - thomas tugend
你能否使用-vvvv选项以获取更多输出并执行相同的命令? - user9008857
我编辑了我的问题并粘贴了额外的调试输出 (-vvvv)。 - thomas tugend
2个回答

0

这是与您的SSH密钥有关的问题。

您必须正确添加您的公钥/私钥。

debug3: no such identity: /home/devops/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/devops/.ssh/id_ecdsa
debug3: no such identity: /home/devops/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/devops/.ssh/id_ed25519
debug3: no such identity: /home/devops/.ssh/id_ed25519: No such file or directory

请使用以下命令将密钥添加到您的代理程序中:

ssh-add

1
谢谢@wrogrammer,但这不是问题所在。我的用户_devops_已经正确地使用_ssh-agent_工作。如果在新的远程主机上不存在用户_devops,则我想使用_ssh_、_用户名_和_密码_(无证书)切换到用户_root。 - thomas tugend
我可以知道做这件事的原因吗? - user9008857
如果远程主机上不存在其他sudo用户,则我想切换到root用户并创建一个sudo用户。如果主机是全新的,则root用户没有密钥文件,因此需要输入用户名和密码。 - thomas tugend
我认为这是一种解决方法。为什么在远程机器上不创建具有特定权限的新用户? - user9008857

0

Setting a remote user

By default, Ansible connects to all remote devices with the user name you are using on the control node. If that user name does not exist on a remote device, you can set a different user name for the connection. If you just need to do some tasks as a different user, look at Understanding privilege escalation: become. You can set the connection user in a playbook:

---
- name: update webservers
  hosts: webservers
  remote_user: admin

  tasks:
  - name: thing to do first in this playbook
  . . .
来源:docs.ansible.com

网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接