Ansible：如何为用户设置密码？无法加密密码

Question

我试图设置安塞。我遇到的问题是，当我使用加密密码时身份验证失败。我不想要使用root用户，但想使用用户帐户＆＃34; t0142734＆＃34;。现在，我在哪里为此用户输入密码？并且如何加密密码？

这是我做的：

1. 我的主机文件（/ etc / ansible / hosts）设置如下：

   [devservers]
   pses00top
   pses16top
   pses99top
   
   [customerLabs]
   pses21top
   pses25top
   
   [allLabs]
   pses00top
   pses16top
   pses99top
   pses21top
   pses25top
   

2. 我的 playbook （/etc/ansible/playbooks/test.yml）设置如下：

   ---
   - hosts: devservers
     remote_user: t0142734
     user: t0142734
     vars:
       password: $1$SomeSalt$xAFXP474fwpr2MobtwE.5/
     tasks:
      - user: name=t0142734 password={password} comment="Katie" ssh_key_file=/home/t0142734/.ssh/id_rsa
      - name: ping test
        ping:
   

3. 我使用以下内容生成加密密码：

   python -c 'import crypt; print crypt.crypt("This is my Password", "$1$SomeSalt$")'
   

4. 我设置了我的ansible配置文件 ansible.cfg （/etc/ansible/ansible.cfg），如下所示：

   inventory      = /etc/ansible/hosts
   host_key_checking = False
   remote_user = t0142734
   

5. 我运行我的剧本，如下所示：

   ansible-playbook test.yml
   

6. 错误我得到的是：

   <pses25top> ESTABLISH SSH CONNECTION FOR USER: t0142734
   <pses25top> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
   -o PasswordAuthentication=no -o User=t0142734 -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r -tt pses25top '/bin/sh -c '"'"'( umask 22 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1462469008.44-66881249426265 `" && echo "` echo $HOME/.ansible/tmp/ansible-tmp-1462469008.44-66881249426265 `" )'"'"''
   
   pses25top | UNREACHABLE! => { 
       "changed": false,  
       "msg": "SSH encountered an unknown error. The output was:\nOpenSSH_7.2p2, OpenSSL 1.0.2g-fips  1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 58: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/root/.ansible/cp/ansible-ssh-pses25top-22-t0142734\" does not exist\r\ndebug2: resolving \"pses25top\" port 22\r\ndebug2: ssh_connect_direct: needpriv 0\r\ndebug1: Connecting to pses25top [10.76.115.151] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 9999 ms remain after connect\r\ndebug1: permanently_set_uid: 0/0\r\ndebug1: identity file /root/.ssh/id_rsa type 1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /root/.ssh/id_rsa-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.2\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_7.1\r\ndebug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: Authenticating to pses25top:22 as 't0142734'\r\ndebug3: hostkeys_foreach: reading file \"/root/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:23\r\ndebug3: load_hostkeys: loaded 1 keys from pses25top\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug3: send packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug3: receive packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: local client KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c\r\ndebug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa\r\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc\r\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc\r\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: compression ctos: zlib@openssh.com,zlib,none\r\ndebug2: compression stoc: zlib@openssh.com,zlib,none\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug2: peer server KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1\r\ndebug2: host key algorithms: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\r\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\r\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: compression ctos: none,zlib@openssh.com\r\ndebug2: compression stoc: none,zlib@openssh.com\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug1: kex: algorithm: curve25519-sha256@libssh.org\r\ndebug1: kex: host key algorithm: ecdsa-sha2-nistp256\r\ndebug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com\r\ndebug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com\r\ndebug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64\r\ndebug1: kex: curve25519-sha256@libssh.org need=64 dh_need=64\r\ndebug3: send packet: type 30\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug3: receive packet: type 31\r\ndebug1: Server host key: ecdsa-sha2-nistp256 SHA256:PV4k4IbhF+EJn096uBoQ44xkmK4meIQWKGkIV00dD44\r\ndebug3: hostkeys_foreach: reading file \"/root/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:23\r\ndebug3: load_hostkeys: loaded 1 keys from pses25top\r\ndebug3: hostkeys_foreach: reading file \"/root/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:23\r\ndebug3: load_hostkeys: loaded 1 keys from 10.76.115.151\r\ndebug1: Host 'pses25top' is known and matches the ECDSA host key.\r\ndebug1: Found key in /root/.ssh/known_hosts:23\r\ndebug3: send packet: type 21\r\ndebug2: set_newkeys: mode 1\r\ndebug1: rekey after 134217728 blocks\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug3: receive packet: type 21\r\ndebug2: set_newkeys: mode 0\r\ndebug1: rekey after 134217728 blocks\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug2: key: /root/.ssh/id_rsa (0x560d1b74fae0)\r\ndebug3: send packet: type 5\r\ndebug3: receive packet: type 6\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug3: send packet: type 50\r\ndebug3: receive packet: type 51\r\ndebug1: Authentications that can continue: publickey,password\r\ndebug3: start over, passed a different list publickey,password\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Offering RSA public key: /root/.ssh/id_rsa\r\ndebug3: send_pubkey_test\r\ndebug3: send packet: type 50\r\ndebug2: we sent a publickey packet, wait for reply\r\ndebug3: receive packet: type 51\r\ndebug1: Authentications that can continue: publickey,password\r\ndebug2: we did not send a packet, disable method\r\ndebug1: No more authentication methods to try.\r\nPermission denied (publickey,password).\r\n", 
           "unreachable": true
       }
   

7. 当我尝试连接而不使用加密密码（注释掉剧本中的密码var）时，我使用命令ansible all -vvvv -m ping --ask-pass，它的工作原理 !!!我得到了回复：

   pses25top | SUCCESS => {
       "changed": false, 
       "invocation": {
           "module_args": {
               "data": null
           }, 
           "module_name": "ping"
       }, 
       "ping": "pong"
   }
   

因此，当我尝试使用我的加密密码时，它不起作用。当我让ansible提示我输入密码时，它可以工作。有什么帮助吗？

另外，我不知道如何处理＆＃34;盐＆＃34;。我需要将它包含在某个地方吗？

我使用的Ansible版本是 ansible 2.0.1.0

资源：

• Ansible User Module Docs
• Ansible FAQ about generating encrypted passwords
• Ansible Configuration File Docs
• Ansible Inventory Docs

Answer 1

目前还不清楚，你还想做什么。在设置密码之前，您似乎尝试使用密码进行身份验证（remote_user和user: name相等）。

您是否正在创建新用户＆＃34; t0142734＆＃34;？那么你还没有这个remote_user帐户！您必须为此目的使用其他用户（例如root）。

您是否正在更改现有用户的密码＆＃34; t0142734。然后你必须以其他方式进行身份验证，因为此用户的当前密码必须与新用户不同。

要登录，您可以使用ask-pass，或密码+ ansible-vault或ssh keys。

做简单的测试。尝试通过Ansible设置用户密码，然后使用ssh t0142734@pses00top登录。如果未配置authorised_keys，则应要求您输入密码。万一你成功了 - 一切都做得很好