티스토리 뷰
[Ansible] Authorized_keys 등록하기(SSH Key)
Authorized Keys란?
Ansible Server(Source)에서 Ansible Node(Destination) 접속 시도 시 계정에 대한 암호를 입력해야 합니다.
이러한 암호를 매번 입력하면 Ansible 사용 시 번거로움이 발생됩니다.
Authorized Keys는 Known Host 처럼 이미 접속허가를 받은 사용자로 기록할 수 있습니다.
접속하려는 Ansible Node(Destination)에 Ansible Server(Source)의 Public SSH Key를 등록하면 Private SSH Key를 통해 암호없이 Ansible Node(Destionation)에 접속 가능해집니다.
Authorized_keys에 Ansible Server(Source)의 SSH Public 키 값이 없을 경우
Ansible Server(Source)에서 Ansible Node(Destination)접속 시 암호를 확인합니다.
[vagrant@ansible-server .ssh]$ ssh node202 vagrant@node202's password: Last login: Mon Dec 24 09:19:55 2018 from 192.168.1.10 [vagrant@ansible-node202 ~]$ |
Authorized_keys에 Ansible Server(Source)의 SSH Public 키 값이 있을 경우
Ansible Server(Source)에서 Ansible Node(Destination)접속 시 암호없이 접속 가능합니다.
[vagrant@ansible-server .ssh]$ ssh node202 Last login: Wed Dec 26 09:30:32 2018 from 192.168.1.10 [vagrant@ansible-node202 ~]$ |
이러한 Ansible Server(Source) SSH Public 키 값은 Ansible Node(Destination) Authorized_keys 파일에 아래와 같이 저장됩니다.
[vagrant@ansible-node202 .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWC5OWAYMC+cs+ssGDH6Usz/HOBqKR6YTapJne314gkzDQg0CurRti3nXGIpK/2mOnhR26YHeNz5AzJpnlXHgxJwAhL7E43unp72gzqbbX1YUwHgLSkns5Gkso5J+POLYbA7wkxyPFselPXQlUClYhiIM3/ j1b98dVm7k7l1AOkJkfiSHnqLH7vbeRbeHeYA63hmsYwo2QirM8qX5uuRNvvStkvMMhx8k7trihpgP48UPRCn6neYYjG8nOqZNBouAo+/1WFd4cMHRcdY/0pUFk864xMZ/sjwzRO4yptlfIOzT6Pufk+W4HIQco1hyC9WFSQ+KrmL/9zVdsq4TzDw/z vagrant ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDprl4ORr/rxJTDb/zoBcF9uXWttVnt1y4bjb84cLRDoELa35J2PieqOUS41RD2eHaX+iDvxyxtKuYN4RpycGoQJ8wZU1ti8WuFmfUyyxE9rqVSZ5UUfix3sCkkyec85m/jt7Kdmnrrl4gzIvxgOGXNyoSFoHjq oKOGbHZT6B9C9bPCzQWBsETW3LvOSsiyDNabfIxfGOz081xPeOSpzccuZBzGYX+SvVtRXlAE/mF+5yVcht/i2j0ghp8pAJGSX7ej1SnKpgXZiWukIxuAAFfLqGCIQIlStkuWQdNgVEvUsI3nNzsCA9qs2zLUehmb6t+FNxtXxx0wootASEjlWtj7 vagrant@ansible-server |
Ansible Server의 SSH Key를 등록하기 전에 아래 포스팅을 참고하여 Ansible Server의 Known_hosts에 등록하는 방법을 먼저 실행합니다.
Ansible Server를 Ansible Node Authorized_keys에 자동등록
Authorized_keys에 등록될 SSH Public Key 값 생성 방법
- ssh-keygen -b 2048 -t rsa -f /home/vagrant/.ssh/id_rsa -q -N ""
[vagrant@ansible-server ~]$ ssh-keygen -b 2048 -t rsa -f /home/vagrant/.ssh/id_rsa -q -N "" [vagrant@ansible-server ~]$ cd .ssh/ [vagrant@ansible-server .ssh]$ ls -al total 20 -rw-rw-r--. 1 vagrant vagrant 0 Dec 24 08:24 ~ drwx------. 2 vagrant vagrant 89 Dec 27 10:10 . drwx------. 5 vagrant vagrant 4096 Dec 24 09:17 .. -rw-------. 1 vagrant vagrant 389 Dec 24 07:47 authorized_keys -rw-------. 1 vagrant vagrant 1675 Dec 27 10:10 id_rsa -rw-r--r--. 1 vagrant vagrant 404 Dec 27 10:10 id_rsa.pub -rw-rw-r--. 1 vagrant vagrant 1376 Dec 24 09:17 known_hosts |
Ansible Node 적용 대상을 위한 인벤토리 파일 작성
- vi /home/vagrant/invetory
- IP가 연속될 경우 ["Start IP":"End IP"]로 작성해도 됩니다.
[vagrant@ansible-server ~]$ vi inventory [ubunt] 192.168.1.[101:104] [cent] 192.168.1.201 hostname=node201 #Ansible host에 "hostname"이라는 변수를 생성하여 hostname 값을 입력 192.168.1.202 hostname=node202 192.168.1.203 hostname=node203 192.168.1.204 hostname=node204 |
Ansible Node Authorized_keys에 SSH Public Key 값 등록을 위한 Playbook 작성
--- - hosts: cent gather_facts: no tasks: - name: ssh-keygen ansible-server connection: local #ansible server에서 ssh key 생성을 위해 local에서 실행합니다. command: "ssh-keygen -b 2048 -t rsa -f /home/vagrant/.ssh/id_rsa -q -N ''" ignore_errors: yes run_once: true #키 생성은 방복되지 않게 하기 위해 run_once를 사용하여 한번만 실행합니다. - name: import id_rsa.pub connection: local command: "cat /home/vagrant/.ssh/id_rsa.pub" register: id_pub run_once: true - name: add ansible-node authrized keys lineinfile: dest: /home/vagrant/.ssh/authorized_keys line: "{{ id_pub.stdout }}" |
작성된 Ansible-Playbook 실행
- ansible playbook 실행 시 Ansible Node에 Ansible Server에 대한 SSH Key 값이 없으므로 -k 옵션을 사용하여 SSH 압호를 입력합니다.
[vagrant@ansible-server ~]$ ansible-playbook -i inventory add_authorized_keys.yml -k SSH password: PLAY [cent] *************************************************************************************************************************************************************** TASK [ssh-keygen ansible-server] ****************************************************************************************************************************************** changed: [192.168.1.201] TASK [import id_rsa.pub] ************************************************************************************************************************************************** changed: [192.168.1.201] TASK [add ansible-node authrized keys] ************************************************************************************************************************************ changed: [192.168.1.204] changed: [192.168.1.201] changed: [192.168.1.203] changed: [192.168.1.202] PLAY RECAP **************************************************************************************************************************************************************** 192.168.1.201 : ok=3 changed=3 unreachable=0 failed=0 192.168.1.202 : ok=1 changed=1 unreachable=0 failed=0 192.168.1.203 : ok=1 changed=1 unreachable=0 failed=0 192.168.1.204 : ok=1 changed=1 unreachable=0 failed=0 |
Ansible Node SSH 접속
- Ansible Node Authorized Keys에 Ansible Server에 대한 SSH 키 값이 등록되어 있으므로 더이상 암호를 묻지 않습니다.
[vagrant@ansible-server ~]$ ssh node202 Last login: Thu Dec 27 16:30:50 2018 from 192.168.1.10 [vagrant@ansible-node202 ~]$ |
Ansible Node Authorized Keys에 등록된 Ansible Server SSH Key 확인
- 아래와 같이 vagrant@ansible-server에 대한 SSH Key 값이 등록된 것을 확인할 수 있습니다.
[vagrant@ansible-node202 ~]$ cat /home/vagrant/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZX8CJFEMlpQ5Bl9LQfzM61U3vxwXPA1xYuNH0R40BaVy4bjsg3Gbdjku1Ma+4MipTH3Ldq /hstFqQuUqcDsX9AosqvvKq6Ky9ILHj7X8ISViCR27CvNz2bK9xM7ldSBFRA/qivYWTEWPhTQzfyF+7Q2NmVDkfIQQ+T2bCDRVzMGS3/Mk8TB v+USq5egdq5gQ94L8a9ggGCI31YSZ4xgaTdB6UecxMhP37zv8k715xkCmWfSO2uIueZdQRuCVJ4kaBQw/FYZ0OtE+vpnngBwE4F/PmNggg+Kk n5cUSMxcr/A30a97P54UktMzs0Q1D4CBuVZK4wnJ7zOMHic08ZIpD vagrant ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTnknH73Kq2JemE6USZV5MYShcftS3PcrHsXKomH9jG2k16nnp2VK/M1u/8a4E4BHgcn1JV 52QwayHVroQ/j4uY8s1NNXzORs14zoa2eqZN955d9b3Ibkw9Y1d1NbrRmI89rJadJDRRf/Er88fZFMGJ3srd/WEJ5n9D9FTE8466juKqev6Fd eiVn9WAHzISBNwZxQdphCm0d0hH4HzpfPZVZ7rn/GU/nKCxh4kUeMsW7sv3jnb9XF5tn0RFzPSvOCKr5kupkJKkanDGI3AQWkkNweV8jo2gyr f6xrgK5dpI99dtZ1fBROmMNxaSwGi6qMSxxrDPksjS8xDjTDYwrMl vagrant@ansible-server |
Question
Ansible Node Authorized Keys에 등록된 Ansible-Server에 대한 SSH Key 값을 삭제하려면 어떻게 해야 할까요?
Ansible-Playbook 작성
lineinfile의 regexp(정규식)을 이용하여 state(상태)에서 "absent"를 사용할 경우 해당 텍스트 라인을 삭제할 수 있습니다.
아래의 정규식은 ansible-server로 끝나는($) 라인을 찾을 수 있는 정규식입니다.
--- - hosts: cent gather_facts: no tasks: - name: remove ansible-server key in node lineinfile: path: /home/vagrant/.ssh/authorized_keys state: absent regexp: 'ansible-server$' |
작성된 Ansible-Playbook 실행
- ansible-server에 대한 ssh key 값이 anbile node의 authorized keys에 이미 등록되어 있으므로 -k 옵션 없이 실행가능합니다.
[vagrant@ansible-server ~]$ ansible-playbook -i inventory remove_authorized_keys.yml PLAY [cent] *************************************************************************************************************************************************************** TASK [remove ansible-server key in node] ********************************************************************************************************************************** changed: [192.168.1.201] changed: [192.168.1.204] changed: [192.168.1.203] changed: [192.168.1.202] PLAY RECAP **************************************************************************************************************************************************************** 192.168.1.201 : ok=1 changed=1 unreachable=0 failed=0 192.168.1.202 : ok=1 changed=1 unreachable=0 failed=0 192.168.1.203 : ok=1 changed=1 unreachable=0 failed=0 192.168.1.204 : ok=1 changed=1 unreachable=0 failed=0 |
Ansible Node Authorized Keys에 등록된 Ansible Server SSH Key 삭제 확인
- 아래와 같이 ansible-server에 대한 ssh key 값이 삭제된 것을 확인할 수 있습니다.
[vagrant@ansible-server ~]$ ssh node202 vagrant@node202's password: Last login: Thu Dec 27 16:41:43 2018 from 192.168.1.10 [vagrant@ansible-node202 ~]$ cat /home/vagrant/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZX8CJFEMlpQ5Bl9LQfzM61U3vxwXPA1xYuNH0R40BaVy4bjsg3Gbdjku1Ma+4MipTH3Ldq /hstFqQuUqcDsX9AosqvvKq6Ky9ILHj7X8ISViCR27CvNz2bK9xM7ldSBFRA/qivYWTEWPhTQzfyF+7Q2NmVDkfIQQ+T2bCDRVzMGS3/Mk8TB v+USq5egdq5gQ94L8a9ggGCI31YSZ4xgaTdB6UecxMhP37zv8k715xkCmWfSO2uIueZdQRuCVJ4kaBQw/FYZ0OtE+vpnngBwE4F/PmNggg+Kk n5cUSMxcr/A30a97P54UktMzs0Q1D4CBuVZK4wnJ7zOMHic08ZIpD vagrant |
'[Server Story] > Management' 카테고리의 다른 글
[ELK Stack] Elastic(ELK) Stack 구축하기(Beat, Logstash, ElasticSearch, Kibana) (0) | 2019.01.31 |
---|---|
[Ansible] Facts란 무엇인가? (0) | 2018.12.29 |
[Ansible] Known_hosts 등록하기 (0) | 2018.12.24 |
[VAGRANT & ANSIBLE] Windows Ansible WinRM 환경구성 (0) | 2018.08.20 |
[VAGRANT & ANSIBLE] CentOS Ansible SSH TEST 환경 구성 (1) | 2018.08.14 |