ansible 訪問內網服務器

時間 2019-11-26

標籤 ansible 訪問服務器简体版

原文原文鏈接

ssh
https://medium.com/@paulskarseth/ansible-bastion-host-proxycommand-e6946c945d30#.rauzlfv0z
http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host
https://10mi2.wordpress.com/2015/01/14/using-ssh-through-a-bastion-host-transparently/
https://gagor.pl/2016/04/use-bastion-host-with-ansible
http://www.cweye.net/2015/07/17/ansible-jumper.html
http://my.oschina.net/foreverich/blog/657075html

sudo
http://tech-sketch.jp/2016/06/ssh_sudo_su.htmlvim

案例
有A B兩個數據中心，每一個數據中心僅１臺服務器(jumphost)有公網ip，其餘服務器均爲內網地址。bash

控制機
1 conctrol 生成帶password的key服務器

ssh-keygen -f a.pem -N '@ansible'
ssh-keygen -f b.pem -N '@ansible'

2 A jumphost & targethostssh

useradd ansible

su - ansible -c 'mkdir .ssh'
su - ansible -c 'curl http://install.local/a.pem.pub -O .ssh/authorized_keys'
su - ansible -c 'chmod 600 .ssh/authorized_keys'
su - ansible -c 'chmod 700 .ssh'

3 B jumphost & targethostcurl

useradd ansible

su - ansible -c 'mkdir .ssh'
su - ansible -c 'curl http://install.local/b.pem.pub -O .ssh/authorized_keys'
su - ansible -c 'chmod 600 .ssh/authorized_keys'
su - ansible -c 'chmod 700 .ssh'

4 control ssh_configide

# A
Host 69.xx.xx.xx
    User ansible
    Port 29922
    #IdentityFile keys/dc.pem
    ControlMaster auto
    ControlPath keys/ansible-%r@%h:%p
    ControlPersist 15m
    ForwardAgent yes 
    StrictHostKeyChecking no

Host 10.150.1.*
    User ansible
    Port 29922
    #IdentityFile keys/dc.pem
    ProxyCommand ssh -p 29922 %r@69.xx.xx.xx -W %h:%p
    ForwardAgent yes
    StrictHostKeyChecking no

# B
Host 173.xx.xx.xx
    User ansible
    Port 29922
    #IdentityFile keys/dc.pem
    ControlMaster auto
    ControlPath keys/ansible-%r@%h:%p
    ControlPersist 15m
    ForwardAgent yes 
    StrictHostKeyChecking no

Host 10.160.1.*
    User ansible
    Port 29922
    #IdentityFile keys/la.pem
    ProxyCommand ssh -p 29922 %r@173.xx.xx.xx -W %h:%p                                                                                                                               
    ForwardAgent yes
    StrictHostKeyChecking no

5 control loginwordpress

# 私鑰加入內存，用於ssh agent forward
#ssh-agent bash
ssh-add keys/a.pem
Enter passphrase for keys/a.pem:

ssh-add keys/b.pem
Enter passphrase for keys/b.pem:

# 分別登陸A B跳板機和內網主機
ssh -F ssh_config 69.xx.xx.xx
ssh -F ssh_config 10.150.1.35

ssh -F ssh_config 173.xx.xx.xx
ssh -F ssh_config 10.160.1.35

# 刪除內存私匙
ssh-add -D

6 jumphost & targethost sudoui

cat > /etc/sudoers.d/ansible << _EOF_
Defaults:ansible,%operator    !requiretty

Cmnd_Alias SU = /bin/su*
Cmnd_Alias SUDO = /usr/bin/vim /etc/sudoers*, /bin/vi /etc/sudoers*, /bin/su*, /usr/sbin/visudo
Cmnd_Alias ACCOUNT = /usr/sbin/adduser*, /usr/sbin/useradd*, /usr/sbin/groupadd*, /usr/sbin/userdel*
Cmnd_Alias SHELLS = /bin/sh, /bin/ksh, /bin/bash, /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login

ansible ALL = (ALL) NOPASSWD: ALL, !SU
%operator ALL = (ALL) NOPASSWD: ALL, !SHELLS, !SU, !SUDO, !ACCOUNT
_EOF_

chmod 440 /etc/sudoers.d/ansible
groupadd operator

/etc/pam.d/su
#auth           required        pam_wheel.so use_uid
->
auth           required        pam_wheel.so use_uid

/etc/ssh/sshd_config
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication yes

7 jumphost & targethost user (ansible控制)url

1 創建用戶
useradd ken

加入operator組
usermod -G operator ken

用戶.ssh/authorized_keys寫入用戶公匙
ken.gem -> .ssh/authorized_keys

2 用戶使用私匙登陸
local> ssh-add ken.gem
local> ssh -p 29922 -A ken@69.xx.xx.xx
69> ssh -p 29922 -A ken@10.150.1.xx

3 刪除用戶

登陸自動啓動ssh-agent

cat > /etc/profile.d/ssh-agent.sh << EOF
#!/bin/bash

if [ ! -S ~/.ssh/ssh_auth_sock ]; then
  eval \`ssh-agent\`
  ln -sf "\$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock
fi

export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock
EOF

手動執行ssh-add加入sshkey，只要不重啓sshkey一直存在內存中

登陸自動加載帶密碼的sshkey　密碼輸入沒有解決

echo "echo '@ansible'" > /opt/ansible/keys/.passphrase && chmod 700 /opt/ansible/keys/.passphrase

ssh-add -l | grep 'The agent has no identities' && cat /opt/ansible/keys/{dc.pem,la.pem} | SSH_ASKPASS=/opt/ansible/keys/.passphrase ssh-add -

ssh-add 將私匙加入內存，公匙分別加入堡壘機及內網機，加入代理轉發，能夠登陸任意服務器
ssh -p 29922 ansible@192.168.1.22 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
-o ControlMaster=auto -o ControlPersist=5m -o ControlPath=/tmp/ansible-%r@%h:%p -o ForwardAgent=yes

ssh -p 29922 ansible@192.168.1.23 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
-o ControlMaster=auto -o ControlPersist=5m -o ControlPath=/tmp/ansible-%r@%h:%p -o ForwardAgent=yes \
-o ProxyCommand='ssh -p 29922 %r@192.168.1.22 -W %h:%p'

ssh -p 22 ansible@192.168.1.24 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \
-o ControlMaster=auto -o ControlPersist=5m -o ControlPath=/tmp/ansible-%r@%h:%p -o ForwardAgent=yes \
-o ProxyCommand='ssh -p 29922 %r@192.168.1.22 -W %h:%p'

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。