我正在尝试制作正确处理sshd_config的 ansible 任务。我从其他问题中找到了类似的正则表达式,但它们什么也没做。
name: Disable SSH password authentication
become: true
lineinfile:
dest: /etc/ssh/sshd_config
regexp: '^#?s*PasswordAuthentications'
line: 'PasswordAuthentication no'
state: present
问题是它应该处理重复的通道以及注释。例如:
- 可能有:
PasswordAuthentication no
PasswordAuthentication yes
或
PasswordAuthentication no
PasswordAuthentication no
或
PasswordAuthentication yes
PasswordAuthentication yes
或
PasswordAuthentication no
#PasswordAuthentication no
或
PasswordAuthentication no
# PasswordAuthentication no
或
# PasswordAuthentication no
# PasswordAuthentication no
等等这么多的组合。但我只想有一个未注释的行PasswordAuthentication no
这可能吗?
问:">处理重复的行和注释...有单个未注释行PasswordAuthentication no">
答:给定文件列表
my_files:
- sshd_config.0
- sshd_config.1
- sshd_config.2
- sshd_config.3
- sshd_config.4
- sshd_config.5
和内容
shell> for f in files-17/*; do printf "n%sn" $f; cat $f; done
files-17/sshd_config.0
PasswordAuthentication no
PasswordAuthentication yes
files-17/sshd_config.1
PasswordAuthentication no
PasswordAuthentication no
files-17/sshd_config.2
PasswordAuthentication yes
PasswordAuthentication yes
files-17/sshd_config.3
PasswordAuthentication no
#PasswordAuthentication no
files-17/sshd_config.4
PasswordAuthentication no
# PasswordAuthentication no
files-17/sshd_config.5
# PasswordAuthentication no
# PasswordAuthentication no
下面的任务删除了除第一行之外的所有内容,其中包括PasswordAuthentication
- replace:
path: 'files-17/{{ item }}'
after: 'PasswordAuthentication'
regexp: '^(.*)PasswordAuthentication(.*)$'
replace: ''
loop: "{{ my_files }}"
给
shell> for f in files-17/*; do printf "n%sn" $f; cat $f; done
files-17/sshd_config.0
PasswordAuthentication no
files-17/sshd_config.1
PasswordAuthentication no
files-17/sshd_config.2
PasswordAuthentication yes
files-17/sshd_config.3
PasswordAuthentication no
files-17/sshd_config.4
PasswordAuthentication no
files-17/sshd_config.5
# PasswordAuthentication no
下一个任务将行替换为PasswordAuthentication no
- lineinfile:
path: 'files-17/{{ item }}'
regexp: '^(.*)PasswordAuthentication(.*)$'
line: 'PasswordAuthentication no'
loop: "{{ my_files }}"
给
shell> for f in files-17/*; do printf "n%sn" $f; cat $f; done
files-17/sshd_config.0
PasswordAuthentication no
files-17/sshd_config.1
PasswordAuthentication no
files-17/sshd_config.2
PasswordAuthentication no
files-17/sshd_config.3
PasswordAuthentication no
files-17/sshd_config.4
PasswordAuthentication no
files-17/sshd_config.5
PasswordAuthentication no
任务的顺序是幂等的。
试试这个ansible
- name: Disallow SSH password authentication
lineinfile:
dest=/etc/ssh/sshd_config
regexp="^PasswordAuthentication"
line="PasswordAuthentication no"
state=present
validate: sshd -t -f %s
notify:
- restart sshd
如果您的发行版有一个/etc/ssh/ssh_config.d/文件夹,您可以在那里复制一个文件:
- name: Disallow SSH password authentication
template: src=disablePasswordAuth.conf dest=/etc/ssh/sshd_config.d/disablePasswordAuth.conf
notify:
- restart sshd
然后还要添加disablePasswordAuth.conf:
PasswordAuthentication no
执行以下操作:
eval "$(ssh-agent -s)"
ssh-add
而且它不会再要求输入密码。