如何解决配置ansible以使用2个密钥?通过TrustedUserCAKeys
我正在使用Hashicorp vault签署SSH公钥:
###### client - my laptop
# step-1: Generate key pair
ssh-keygen -t rsa -N "" -f mykey
# step-2:sign the public key
vault write ssh-client-signer/sign/my-role \
public_key=@$(pwd)/mykey.pub > mykey-cert.pub
mykey-cert.pub
是第三个密钥:签名的公共密钥
将CA pub证书添加到sshd之后:
###### server which runs sshd
vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config
systemctl restart sshd
使用SSH客户端,我能够登录
###### client - my laptop
# ssh -i <signed-pub-key> -i <private-key> user@ip command
ssh -i mykey-cert.pub -i mykey user@ip ls
这很好用,就像一个魅力charm
因此,到目前为止,保险柜已不在外部收费中
但是,当我尝试与ansible ansible xyz -m ping -vvv
进行ping操作时,出现了错误:
<xyz> ESTABLISH SSH CONNECTION FOR USER: xyz
<xyz> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -i mykey-cert.pub -i mykey -o StrictHostKeyChecking=no -o Port=2323 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="xyz-user"' -o ConnectTimeout=10 -o ControlPath=/home/xyz-control/.ansible/cp/18ca7ea27d xyz '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
ssh-server-pod | UNREACHABLE! => {
"changed": false,"msg": "SSH Error: data could not be sent to remote host \"xyz\". Make sure this host can be reached over ssh","unreachable": true
}
我尝试在ansible.cfg中使用SSH_ARGS,因为ansible_ssh_private_key_file
仅接受私钥的路径
[defaults]
INVENTORY = inventory
HOST_KEY_CHECKING = False
[ssh_connection]
PIPELINING = True
SSH_ARGS = "-C -o ControlMaster=auto -o ControlPersist=60s -i mykey-cert.pub -i mykey"
..仍然无法工作吗?
我应该启用某些扩展permit-pty: ""
还是删除关键选项。
即使它适用于SSH客户端。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。