如何修复Sshkey对以Ansible重新创建全球SSH键后

发布于 2025-01-25 11:10:39 字数 3462 浏览 3 评论 0原文

简而言之，在删除后，在托管主机上重新创建了新的全球SSH键，这是Ansible Play的一部分，即控制器和主机中断之间的共享SSH键。我想知道一种“解决”此问题并使用Ansible本身重新获得原始SSH密钥信任的卓越方法。不幸的是，这需要一些解释。

基本上，作为一个开始，现在，当部署新图像时，我还没有设置。为了解决这个问题，我创建了一个bash脚本，利用期望在新的托管主机上很好地完成了2件事：

创建一个可ando的帐户，并具有适当的sudo permissions
创建一个Ansible帐户，在控制器和控制器和托管主机之间创建一个SSH键对。

就是这样，仅此而已，此时确实需要手动输入。现在，我们有一个理想的状态，Ansible可以通过SSH效果很好。但是，在328行代码上似乎很麻烦，可以检查并执行此过程，以后再进行此过程。

问题开始了，由于主机/服务器是从图像部署的事实，因此有必要在每个图像上重新创建全局键，以使它们没有相同的集合。该问题的这一部分的修复是一个简单的2个步骤：

查找并删除所有 ^ssh_host_ 。。
中查找并删除所有 ^ssh_host_ 。文件，运行命令：/usr/bin/ssh -keygen -a以生成新的全局ssh键。

但是，我们现在遇到了问题，一旦当前的SSH连接与托管主机打破，我们将无法再连接到托管主机，因为控制器上的已知_ host文件现在具有与不匹配的键。如果您什么都不做，您会再次获得提示，以验证远程键的“更改”，并且直到这样做才能继续。（停止所有剧本的功能），或者如果您尝试将IP从控制器上的已知_ -Host文件中清除并放回原处，您会收到可爱的下面消息：

    "changed": false,
    "msg": "Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!  ***SNIP***  You can use following command to remove the offending key:\r\nssh-keygen -R 10.200.5.4 -f /home/ansible/.ssh/known_hosts\r\nECDSA host key for 10.200.5.4 has changed and you have requested strict checking.\r\nHost key verification failed.",
    "unreachable": true

所以我现在有一个问题，并且必须有一些命令我可以使用SSH-Keygen和/或SSH-Keyscan使用，以清洁此混乱。但是，对于我的一生，我无法弄清楚。我现在唯一的求助是重新运行最初设置所有设置的Bash脚本，并替换控制器/主机SSHKEY WISE上的所有内容。这似乎是过分的，我不可能相信这是必要的。

我现在唯一的希望是，其他人有一个想法如何在没有手动干预的情况下清洁，永久地解决这个问题。否则，我唯一能做的就是设置ansible_ssh_common_args：“ -o stricthostkeychecking = no”事实，并运行我脚本的命令，但仅以playbook的形式使用。我不敢相信没有任何可以实现这一目标的模块。我尝试了已知的_host模块，但是我不知道如何正确使用它，或者它没有此功能。（此外，它还具有将我的已知_ -Host文件更改为根所有权的烦人属性，然后我必须更改。）

如果有人能提供帮助，那真是太棒了！提前致谢！

以下不是严格需要的，因为它的额外文本堵塞了作品，但它确实说明了bash脚本如何解决此问题，并可能对更好的解决方案提供一些见解：

简而言之，它会生成SSH公共和私钥，附加向他们的主机名，使用HEREDOCS人口方法创建SSH配置身份文件，将其放置在适当的位置，然后将公共密钥复制到相关的主机上。

代码狙击在下面显示如何实现这一目标。这不是整个脚本仅相关部分：

#HOMEDIR is /home/ansible  This host is the IP of managed host in the run.  
#THISHOST is the IP of the managed host in question. Yes, we ONLY use IP's, there is no DNS.  
cd "$HOMEDIR"
rm -f $HOMEDIR/.ssh/id_rsa
ssh-keygen -t rsa -f "$HOMEDIR"/.ssh/id_rsa -q -P ""
sudo mkdir -p "$HOMEDIR"/.ssh/rsa_inventory && sudo chown ansible:users "$HOMEDIR"/.ssh/rsa_inventory
cp -p "$HOMEDIR"/.ssh/id_rsa "$HOMEDIR"/.ssh/rsa_inventory/$THISHOST-id_rsa
cp -p "$HOMEDIR"/.ssh/id_rsa.pub "$HOMEDIR"/.ssh/rsa_inventory/$THISHOST-id_rsa.pub


#Heredocs implementation of the ssh config identity file:  
cat <<EOT >> /home/ansible/.ssh/config

Host $THISHOST $THISHOST
    HostName $THISHOST
    IdentityFile ~/.ssh/rsa_inventory/${THISHOST}-id_rsa
    User ansible
EOT


#Define the variable earlier before the expect script is run so it makes sense in next snipit:
ssh_key=$( cat "$HOMEDIR"/.ssh/id_rsa.pub )

#Snipit in except script where it echos over the public ssh key to the managed host from the controller.
send "sudo echo '"$ssh_key"' >> /home/ansible/.ssh/authorized_keys\n"
expect -re {:~> *$}
send "sudo chmod 644 /home/ansible/.ssh/authorized_keys\n"
expect -re {:~> *$}
#etc etc, so on and so forth properly setting attributes on this file.  ```

Now things work with passwordless ssh as they should.  Until they are re-ruined by the global ssh key replacement.

原文

In a nutshell, after deleting then recreating new global ssh keys on a managed host as part of an ansible play, the shared ssh keys between the controller and the host break. I would like to know a superior method to "fix" this issue and regain the original ssh key trust using ansible itself. Unfortunately this will require some explanation.

Basically as a start, right now, I don't have ansible set up when a new image is deployed. To remedy that, I have created a bash script, utilizing expect which nicely and neatly does 2 things on that new managed host:

Creates an ansible account with appropriate sudo permissions
Creates an ssh key pair between the controller and the controller and the managed host.

That's it, and that's all, however it does require manual input at this time as to the IP of the host to be run on. We now have a desired state from which ansible works well via ssh. However it seems cumbersome at 328 lines of code to check and do this procedure, more on this later.

The issue starts, due to the fact that the host/server is deployed from an image, there is a need to recreate the global keys on each so that they do not have the same set. The fix for this part of that issue is a simple 2 steps:

Find and delete all ^ssh_host_. files in the directory /etc/ssh/
Run the command: /usr/bin/ssh-keygen -A to generate new global ssh keys.

We however now have a problem, once the current ssh connection is broken to the managed host, we can no longer connect to our managed hosts as our known_hosts file on the controller now have keys that don't match. If you do nothing else, you get a prompt again to verify the remote key as it has "changed" and you can't continue until you do. (Stopping all playbooks from functioning) OR if you try to clear the IP out of the known_hosts file on the controller and put it back in, you get the lovely below message:

    "changed": false,
    "msg": "Failed to connect to the host via ssh: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@\r\n@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!  ***SNIP***  You can use following command to remove the offending key:\r\nssh-keygen -R 10.200.5.4 -f /home/ansible/.ssh/known_hosts\r\nECDSA host key for 10.200.5.4 has changed and you have requested strict checking.\r\nHost key verification failed.",
    "unreachable": true

So now I have an issue, and there must be a few commands which I can utilize with ssh-keygen, and/or ssh-keyscan to fix this mess cleanly. However for the life of me I can't figure it out. My only recourse now is to re-run the bash script which initially sets this all up, and replace everything on the controller/host sshkey wise. This seems like overkill, I can't possibly believe that is necessary.

My only hope now is that someone else has an idea how to solve this cleanly and permanently without manual intervention. Otherwise, the only thing I can do is set the ansible_ssh_common_args: "-o StrictHostKeyChecking=no"fact and run the commands my script does but only in playbook form. I can't believe there aren't any modules which can accomplish this. I tried the known_host module, but either I don't know how to use it properly, or it doesn't have this functionality. (Also it has the annoying property of changing my known_hosts file to root ownership, which I must then change back.)

If anyone can help that would be fantastic! Thanks in advance!

The below is not strictly needed as it's extra text clogging up the works, but it does illustrate how the bash script fixes this issue and maybe give some insight on a better solution:

In short, it generates an ssh public and private key, attaches the hostname to them, creates an ssh config identity file using a heredocs population method, puts them in the proper spots, and then copies the public key over to mangaged host in question.

The code snipits are below to show how this is accomplished. This is not the entire script just relevant parts:

#HOMEDIR is /home/ansible  This host is the IP of managed host in the run.  
#THISHOST is the IP of the managed host in question. Yes, we ONLY use IP's, there is no DNS.  
cd "$HOMEDIR"
rm -f $HOMEDIR/.ssh/id_rsa
ssh-keygen -t rsa -f "$HOMEDIR"/.ssh/id_rsa -q -P ""
sudo mkdir -p "$HOMEDIR"/.ssh/rsa_inventory && sudo chown ansible:users "$HOMEDIR"/.ssh/rsa_inventory
cp -p "$HOMEDIR"/.ssh/id_rsa "$HOMEDIR"/.ssh/rsa_inventory/$THISHOST-id_rsa
cp -p "$HOMEDIR"/.ssh/id_rsa.pub "$HOMEDIR"/.ssh/rsa_inventory/$THISHOST-id_rsa.pub


#Heredocs implementation of the ssh config identity file:  
cat <<EOT >> /home/ansible/.ssh/config

Host $THISHOST $THISHOST
    HostName $THISHOST
    IdentityFile ~/.ssh/rsa_inventory/${THISHOST}-id_rsa
    User ansible
EOT


#Define the variable earlier before the expect script is run so it makes sense in next snipit:
ssh_key=$( cat "$HOMEDIR"/.ssh/id_rsa.pub )

#Snipit in except script where it echos over the public ssh key to the managed host from the controller.
send "sudo echo '"$ssh_key"' >> /home/ansible/.ssh/authorized_keys\n"
expect -re {:~> *$}
send "sudo chmod 644 /home/ansible/.ssh/authorized_keys\n"
expect -re {:~> *$}
#etc etc, so on and so forth properly setting attributes on this file.  ```

Now things work with passwordless ssh as they should.  Until they are re-ruined by the global ssh key replacement.

分享到QQ

分享到微博