ssh https://medium.com/@paulskarseth/ansible-bastion-host-proxycommand-e6946c945d30#.rauzlfv0z http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host https://10mi2.wordpress.com/2015/01/14/using-ssh-through-a-bastion-host-transparently/ https://gagor.pl/2016/04/use-bastion-host-with-ansible http://www.cweye.net/2015/07/17/ansible-jumper.html http://my.oschina.net/foreverich/blog/657075
sudo http://tech-sketch.jp/2016/06/ssh_sudo_su.html
案例 有A B两个数据中心,每个数据中心仅1台服务器(jumphost)有公网ip,其他服务器均为内网地址。
控制机 1 conctrol 生成带password的key
ssh-keygen -f a.pem -N '@ansible' ssh-keygen -f b.pem -N '@ansible'2 A jumphost & targethost
useradd ansible su - ansible -c 'mkdir .ssh' su - ansible -c 'curl http://install.local/a.pem.pub -O .ssh/authorized_keys' su - ansible -c 'chmod 600 .ssh/authorized_keys' su - ansible -c 'chmod 700 .ssh'3 B jumphost & targethost
useradd ansible su - ansible -c 'mkdir .ssh' su - ansible -c 'curl http://install.local/b.pem.pub -O .ssh/authorized_keys' su - ansible -c 'chmod 600 .ssh/authorized_keys' su - ansible -c 'chmod 700 .ssh'4 control ssh_config
# A Host 69.xx.xx.xx User ansible Port 29922 #IdentityFile keys/dc.pem ControlMaster auto ControlPath keys/ansible-%r@%h:%p ControlPersist 15m ForwardAgent yes StrictHostKeyChecking no Host 10.150.1.* User ansible Port 29922 #IdentityFile keys/dc.pem ProxyCommand ssh -p 29922 %r@69.xx.xx.xx -W %h:%p ForwardAgent yes StrictHostKeyChecking no # B Host 173.xx.xx.xx User ansible Port 29922 #IdentityFile keys/dc.pem ControlMaster auto ControlPath keys/ansible-%r@%h:%p ControlPersist 15m ForwardAgent yes StrictHostKeyChecking no Host 10.160.1.* User ansible Port 29922 #IdentityFile keys/la.pem ProxyCommand ssh -p 29922 %r@173.xx.xx.xx -W %h:%p ForwardAgent yes StrictHostKeyChecking no5 control login
# 私钥加入内存,用于ssh agent forward #ssh-agent bash ssh-add keys/a.pem Enter passphrase for keys/a.pem: ssh-add keys/b.pem Enter passphrase for keys/b.pem: # 分别登录A B跳板机和内网主机 ssh -F ssh_config 69.xx.xx.xx ssh -F ssh_config 10.150.1.35 ssh -F ssh_config 173.xx.xx.xx ssh -F ssh_config 10.160.1.35 # 删除内存私匙 ssh-add -D6 jumphost & targethost sudo
cat > /etc/sudoers.d/ansible << _EOF_ Defaults:ansible,%operator !requiretty Cmnd_Alias SU = /bin/su* Cmnd_Alias SUDO = /usr/bin/vim /etc/sudoers*, /bin/vi /etc/sudoers*, /bin/su*, /usr/sbin/visudo Cmnd_Alias ACCOUNT = /usr/sbin/adduser*, /usr/sbin/useradd*, /usr/sbin/groupadd*, /usr/sbin/userdel* Cmnd_Alias SHELLS = /bin/sh, /bin/ksh, /bin/bash, /bin/zsh, /bin/csh, /bin/tcsh, /usr/bin/login ansible ALL = (ALL) NOPASSWD: ALL, !SU %operator ALL = (ALL) NOPASSWD: ALL, !SHELLS, !SU, !SUDO, !ACCOUNT _EOF_ chmod 440 /etc/sudoers.d/ansible groupadd operator /etc/pam.d/su #auth required pam_wheel.so use_uid -> auth required pam_wheel.so use_uid /etc/ssh/sshd_config PermitRootLogin no RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication yes7 jumphost & targethost user (ansible控制)
1 建立用户 useradd ken 加入operator组 usermod -G operator ken 用户.ssh/authorized_keys写入用户公匙 ken.gem -> .ssh/authorized_keys 2 用户使用私匙登录 local> ssh-add ken.gem local> ssh -p 29922 -A ken@69.xx.xx.xx 69> ssh -p 29922 -A ken@10.150.1.xx 3 删除用户登录自动启动ssh-agent
cat > /etc/profile.d/ssh-agent.sh << EOF #!/bin/bash if [ ! -S ~/.ssh/ssh_auth_sock ]; then eval \`ssh-agent\` ln -sf "\$SSH_AUTH_SOCK" ~/.ssh/ssh_auth_sock fi export SSH_AUTH_SOCK=~/.ssh/ssh_auth_sock EOF手动执行ssh-add加入sshkey,只要不重启sshkey一直存在内存中
登录自动加载带密码的sshkey 密码输入没有解决
echo "echo '@ansible'" > /opt/ansible/keys/.passphrase && chmod 700 /opt/ansible/keys/.passphrase ssh-add -l | grep 'The agent has no identities' && cat /opt/ansible/keys/{dc.pem,la.pem} | SSH_ASKPASS=/opt/ansible/keys/.passphrase ssh-add - ssh-add 将私匙加入内存,公匙分别加入堡垒机及内网机,加入代理转发,可以登录任意服务器 ssh -p 29922 ansible@192.168.1.22 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ -o ControlMaster=auto -o ControlPersist=5m -o ControlPath=/tmp/ansible-%r@%h:%p -o ForwardAgent=yes ssh -p 29922 ansible@192.168.1.23 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ -o ControlMaster=auto -o ControlPersist=5m -o ControlPath=/tmp/ansible-%r@%h:%p -o ForwardAgent=yes \ -o ProxyCommand='ssh -p 29922 %r@192.168.1.22 -W %h:%p' ssh -p 22 ansible@192.168.1.24 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no \ -o ControlMaster=auto -o ControlPersist=5m -o ControlPath=/tmp/ansible-%r@%h:%p -o ForwardAgent=yes \ -o ProxyCommand='ssh -p 29922 %r@192.168.1.22 -W %h:%p' posted on 2016-06-16 12:13 北京涛子 阅读( ...) 评论( ...) 编辑 收藏转载于:https://www.cnblogs.com/liujitao79/p/5590590.html
