Ansible批量更新远程主机用户密码 (包括Ansible批量作ssh互信)

时间 2019-12-06

标签 ansible 批量更新远程主机用户密码包括 ssh 互信繁體版

原文原文链接

按照集团运维信息安全制度, 须要每一个一段时间对线上服务器密码进行一次变动，经过shell脚本部署比较繁琐，因此决定采用ansible脚本对远程主机root密码进行批量重置，该脚本已经在稳定运行在正式环境下。具体方法以下:html

1) 在服务端安装ansiblenode

[root@ansible-server ~]# yum install -y ansible

2) 配置ansible到远程主机的ssh无密码信任关系 (authoried_keys 模块)shell

批量实现多台服务器之间ssh无密码登陆的相互信任关系, 能够参考以前的文章:  https://www.cnblogs.com/kevingrace/p/9063745.html
这里采用Ansible 实现批量创建互信, 方法以下:

首先要生成ansible服务端本机ssh的key 
[root@ansible-server ~]# ssh-keygen -t rsa          //一路回车
[root@ansible-server ~]# ls /root/.ssh/
id_rsa  id_rsa.pub 

====================================================
须要注意ssh创建互信的命令格式:
# ssh-copy-id -i ~/.ssh/id_rsa.pub username@[ip,hostname]
====================================================

在客户机比较多的状况下，使用 ssh-copy-id命令的方法显然是有些费时，使用ansible-playbook 推送 ymal进行批量建立ssh互信关系就显得省事多了，
这里就使用到了ansible的authoried_keys 模块: 

首先要配置ansible清单 (远程主机的密码这里为"123456")
[root@ansible-server ~]# vim /etc/ansible/hosts
................
................
[ssh-host]
172.16.60.204
172.16.60.205
172.16.60.206
172.16.60.207

[ssh-host:vars]
ansible_ssh_pass="123456"

==========================================================
发送公钥到目标机器命令格式以下:
# ansible ssh-host -m copy -a "src=/root/.ssh/id_rsa.pub dest=/root/.ssh/authorized_keys mode=600"
==========================================================

编写playbook文件
[root@ansible-server ~]# vim /opt/ssh_key.yaml
---
  - hosts: ssh-host
    user: root
    tasks:
     - name: ssh-copy
       authorized_key: user=root key="{{ lookup('file', '/root/.ssh/id_rsa.pub') }}"

注意上面yaml脚本中的"ssh-key-host"是在/etc/ansible/hosts清单文件里配置的远程客户机列表
这里作的是基于远程主机root用户的ssh互信

执行批量互信
[root@ansible-server ~]# ansible-playbook /opt/ssh_key.yaml

PLAY [ssh-host] ************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************
ok: [172.16.60.204]
ok: [172.16.60.205]
ok: [172.16.60.206]
ok: [172.16.60.207]

TASK [ssh-copy] ************************************************************************************************************************
changed: [172.16.60.205]
changed: [172.16.60.204]
changed: [172.16.60.206]
changed: [172.16.60.207]

PLAY RECAP *****************************************************************************************************************************
172.16.60.204              : ok=2    changed=1    unreachable=0    failed=0   
172.16.60.205              : ok=2    changed=1    unreachable=0    failed=0   
172.16.60.206              : ok=2    changed=1    unreachable=0    failed=0   
172.16.60.207              : ok=2    changed=1    unreachable=0    failed=0

最后验证下ssh互信
[root@ansible-server ~]# ansible -i /etc/ansible/hosts ssh-host -m shell -a "whoami"
172.16.60.204 | SUCCESS | rc=0 >>
root

172.16.60.205 | SUCCESS | rc=0 >>
root

172.16.60.207 | SUCCESS | rc=0 >>
root

172.16.60.206 | SUCCESS | rc=0 >>
root

至此, ansible批量建立到远程客户机的ssh信任关系已经实现了!

3) Ansible批量更新远程主机用户密码方法vim

方法一: 使用Ansible的user模块批量修改远程客户机的用户密码安全

因为在使用ansible修改用户密码的时候不能使用明文的方式，须要先加密，因此就须要使用一个方法对输入的明文的密码进行加密.
废话很少说了. 下面直接记录下操做方法:

[root@ansible-server ~]# vim /opt/root_passwd.yaml
---
  - hosts: ssh-host
    gather_facts: false
    tasks:
    - name: change user passwd
      user: name={{ item.name }} password={{ item.chpass | password_hash('sha512') }}  update_password=always
      with_items:
           - { name: 'root', chpass: 'kevin@123' }
           - { name: 'app', chpass: 'bjop123' }

注意上面在yaml文件中修改了远程客户机的root用户密码, app用户密码. 
若是还想要修改其余用户密码, 则继续按照上面规则添加便可!

执行ansible-play
[root@ansible-server ~]# ansible-playbook /opt/root_passwd.yaml 

PLAY [ssh-host] ************************************************************************************************************************

TASK [change user passwd] **************************************************************************************************************
changed: [172.16.60.204] => (item={u'chpass': u'kevin@123', u'name': u'root'})
changed: [172.16.60.205] => (item={u'chpass': u'kevin@123', u'name': u'root'})
changed: [172.16.60.204] => (item={u'chpass': u'bjop123', u'name': u'app'})
changed: [172.16.60.205] => (item={u'chpass': u'bjop123', u'name': u'app'})
changed: [172.16.60.206] => (item={u'chpass': u'kevin@123', u'name': u'root'})
changed: [172.16.60.206] => (item={u'chpass': u'bjop123', u'name': u'app'})
changed: [172.16.60.207] => (item={u'chpass': u'kevin@123', u'name': u'root'})
changed: [172.16.60.207] => (item={u'chpass': u'bjop123', u'name': u'app'})

PLAY RECAP *****************************************************************************************************************************
172.16.60.204              : ok=1    changed=1    unreachable=0    failed=0   
172.16.60.205              : ok=1    changed=1    unreachable=0    failed=0   
172.16.60.206              : ok=1    changed=1    unreachable=0    failed=0   
172.16.60.207              : ok=1    changed=1    unreachable=0    failed=0

方法二: 修改远程主机的单个用户密码使用此方法比较方便bash

编写playbook文件
[root@ansible-server ~]# vim /opt/root_passwd2.yaml
---
  - hosts: ssh-host
    gather_facts: false
    tasks:
    - name: Change password
      user: name={{ name1 }}  password={{ chpass | password_hash('sha512') }}  update_password=always

执行ansible-playbook,  使用-e参数传递用户名和密码给剧本，其中root为用户名，admin#123就是修改后的root密码
[root@ansible-server ~]# ansible-playbook /opt/root_passwd2.yaml -e "name1=root chpass=admin#123"            

PLAY [ssh-host] ************************************************************************************************************************

TASK [Change password] *****************************************************************************************************************
changed: [172.16.60.204]
changed: [172.16.60.205]
changed: [172.16.60.206]
changed: [172.16.60.207]

PLAY RECAP *****************************************************************************************************************************
172.16.60.204              : ok=1    changed=1    unreachable=0    failed=0   
172.16.60.205              : ok=1    changed=1    unreachable=0    failed=0   
172.16.60.206              : ok=1    changed=1    unreachable=0    failed=0   
172.16.60.207              : ok=1    changed=1    unreachable=0    failed=0

方法三: 使用以下Ansible脚本, 适用于修改清单中部分远程主机的用户密码服务器

编写ansible-playbook脚本 (须要注意下面脚本中"ens192"是客户机ip所在的网卡设备名称, 这个要根据本身实际环境去配置, 好比eth0, eth1等)
[root@ansible-server ~]# cat /opt/root_passwd4.yaml 
- hosts: test-host
  remote_user: root
  tasks:
  - name: change password for root
    shell: echo '{{ item.password }}' |passwd --stdin root
    when: ansible_ens192.ipv4.address  == '{{ item.ip }}'
    with_items:
     - { ip: "172.16.60.220", password: 'haha@123' }
     - { ip: "172.16.60.221", password: 'kevin@123' }
     - { ip: "172.16.60.222", password: 'bobo@123' }

 执行ansible-playbook:
 [root@ansible-server ansible]# ansible-playbook /opt/root_passwd3.yaml

PLAY [ssh-host] ************************************************************************************************************************

TASK [Gathering Facts] *****************************************************************************************************************
ok: [172.16.60.204]
ok: [172.16.60.205]
ok: [172.16.60.206]
ok: [172.16.60.207]

TASK [change password for root] ********************************************************************************************************
 [WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
== '{{ item.ip }}'

 [WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
== '{{ item.ip }}'

skipping: [172.16.60.205] => (item={u'ip': u'172.16.60.204', u'password': u'haha@123'}) 
 [WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
== '{{ item.ip }}'

skipping: [172.16.60.206] => (item={u'ip': u'172.16.60.204', u'password': u'haha@123'}) 
skipping: [172.16.60.206] => (item={u'ip': u'172.16.60.205', u'password': u'kevin@123'}) 
 [WARNING]: when statements should not include jinja2 templating delimiters such as {{ }} or {% %}. Found: ansible_eth0.ipv4.address
== '{{ item.ip }}'

skipping: [172.16.60.207] => (item={u'ip': u'172.16.60.204', u'password': u'haha@123'}) 
skipping: [172.16.60.207] => (item={u'ip': u'172.16.60.205', u'password': u'kevin@123'}) 
skipping: [172.16.60.207] => (item={u'ip': u'172.16.60.206', u'password': u'bobo@123'}) 
changed: [172.16.60.205] => (item={u'ip': u'172.16.60.205', u'password': u'kevin@123'})
skipping: [172.16.60.205] => (item={u'ip': u'172.16.60.206', u'password': u'bobo@123'}) 
changed: [172.16.60.204] => (item={u'ip': u'172.16.60.204', u'password': u'haha@123'})
skipping: [172.16.60.204] => (item={u'ip': u'172.16.60.205', u'password': u'kevin@123'}) 
skipping: [172.16.60.204] => (item={u'ip': u'172.16.60.206', u'password': u'bobo@123'}) 
changed: [172.16.60.206] => (item={u'ip': u'172.16.60.206', u'password': u'bobo@123'})

PLAY RECAP *****************************************************************************************************************************
172.16.60.204              : ok=2    changed=1    unreachable=0    failed=0   
172.16.60.205              : ok=2    changed=1    unreachable=0    failed=0   
172.16.60.206              : ok=2    changed=1    unreachable=0    failed=0   
172.16.60.207              : ok=1    changed=0    unreachable=0    failed=0

若是ansible服务端没有和远程主机作ssh信任关系, 则能够在hosts清单配置里直接指明用户名和密码.
若是使用普通用户, 而且容许sudo, 则须要提早在客户机里的/etc/sudoers文件里配置好该普通用户的sudo配置, 即容许该普通用户有sudo权限.
 
[root@ansible-server ~]# vim /etc/ansible/hosts
................
[test-host]
172.16.60.220 ansible_ssh_user=root ansible_ssh_pass=123456 ansible_ssh_port=22
172.16.60.221 ansible_ssh_user=root ansible_ssh_pass=bo@123 ansible_ssh_port=22
172.16.60.222 ansible_ssh_user=app ansible_ssh_pass=bj@123 ansible_ssh_port=22 ansible_sudo_pass=bj@123
 
即172.16.60.220客户机上要提早配置, 容许app用户具备sudo权限.

执行:
[root@ansible-server ~]# ansible test-host -m shell -a "hostname"                      
172.16.60.222 | SUCCESS | rc=0 >>
k8s-node02

172.16.60.220 | SUCCESS | rc=0 >>
k8s-master01

172.16.60.221 | SUCCESS | rc=0 >>
k8s-node01

[root@ansible-server ~]# ansible -i /etc/ansible/hosts test-host -m shell -a "hostname"
172.16.60.222 | SUCCESS | rc=0 >>
k8s-node02

172.16.60.220 | SUCCESS | rc=0 >>
k8s-master01

172.16.60.221 | SUCCESS | rc=0 >>
k8s-node01