我正在使用Hashicorp vault签署SSH公钥：

###### client - my laptop
# step-1: Generate key pair
ssh-keygen -t rsa -N "" -f mykey

# step-2:sign the public key
vault write ssh-client-signer/sign/my-role \
    public_key=@$(pwd)/mykey.pub > mykey-cert.pub

mykey-cert.pub是第三个密钥：签名的公共密钥

将CA pub证书添加到sshd之后：

###### server which runs sshd

vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem

echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config

systemctl restart sshd

使用SSH客户端，我能够登录

###### client - my laptop
# ssh -i <signed-pub-key> -i <private-key> user@ip command
ssh -i mykey-cert.pub -i mykey user@ip ls

这很好用，就像一个魅力charm

因此，到目前为止，保险柜已不在外部收费中

但是，当我尝试与ansible ansible xyz -m ping -vvv进行ping操作时，出现了错误：

<xyz> ESTABLISH SSH CONNECTION FOR USER: xyz
<xyz> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -i mykey-cert.pub -i mykey -o StrictHostKeyChecking=no -o Port=2323 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="xyz-user"' -o ConnectTimeout=10 -o ControlPath=/home/xyz-control/.ansible/cp/18ca7ea27d xyz '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
ssh-server-pod | UNREACHABLE! => {
    "changed": false,"msg": "SSH Error: data could not be sent to remote host \"xyz\". Make sure this host can be reached over ssh","unreachable": true
}

我尝试在ansible.cfg中使用SSH_ARGS，因为ansible_ssh_private_key_file仅接受私钥的路径

[defaults]
 
INVENTORY = inventory
HOST_KEY_CHECKING = False
[ssh_connection]
PIPELINING = True
SSH_ARGS = "-C -o ControlMaster=auto -o ControlPersist=60s -i mykey-cert.pub -i mykey"

..仍然无法工作吗？

我应该启用某些扩展permit-pty: ""还是删除关键选项。 即使它适用于SSH客户端。

解决方法

暂无找到可以解决该程序问题的有效方法，小编努力寻找整理中！

如果你已经找到好的解决方法，欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@）