问题描述
我正在使用Hashicorp vault签署SSH公钥:
###### client - my laptop
# step-1: Generate key pair
ssh-keygen -t rsa -N "" -f mykey
# step-2:sign the public key
vault write ssh-client-signer/sign/my-role \
public_key=@$(pwd)/mykey.pub > mykey-cert.pub
mykey-cert.pub
是第三个密钥:签名的公共密钥
将CA pub证书添加到sshd之后:
###### server which runs sshd
vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem
echo "TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem" >> /etc/ssh/sshd_config
systemctl restart sshd
使用SSH客户端,我能够登录
###### client - my laptop
# ssh -i <signed-pub-key> -i <private-key> user@ip command
ssh -i mykey-cert.pub -i mykey user@ip ls
这很好用,就像一个魅力charm
因此,到目前为止,保险柜已不在外部收费中
但是,当我尝试与ansible ansible xyz -m ping -vvv
进行ping操作时,出现了错误:
<xyz> ESTABLISH SSH CONNECTION FOR USER: xyz
<xyz> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -i mykey-cert.pub -i mykey -o StrictHostKeyChecking=no -o Port=2323 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="xyz-user"' -o ConnectTimeout=10 -o ControlPath=/home/xyz-control/.ansible/cp/18ca7ea27d xyz '/bin/sh -c '"'"'/usr/bin/python && sleep 0'"'"''
ssh-server-pod | UNREACHABLE! => {
"changed": false,"msg": "SSH Error: data could not be sent to remote host \"xyz\". Make sure this host can be reached over ssh","unreachable": true
}
我尝试在ansible.cfg中使用SSH_ARGS,因为ansible_ssh_private_key_file
仅接受私钥的路径
[defaults]
INVENTORY = inventory
HOST_KEY_CHECKING = False
[ssh_connection]
PIPELINING = True
SSH_ARGS = "-C -o ControlMaster=auto -o ControlPersist=60s -i mykey-cert.pub -i mykey"
..仍然无法工作吗?
我应该启用某些扩展permit-pty: ""
还是删除关键选项。
即使它适用于SSH客户端。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)