关于.ssh/authorized_keys的权利问题,我正在脑子里打结。
我有一个可翻译的脚本,它非常适合在我的服务器上创建我的用户,我只想修改/home/user、/home/user/.ssh和/home/user.ssh/authorized_keys的权限,因为它们在默认情况下是不正确的。我找不到问题出在哪里。
---
- hosts: all
become: true
tasks:
- name: Creation groupe dev
group:
name: dev
state: present
- name: Creation des utilisateurs
user:
name: "{{ item.path }}"
group: dev
state: present
password: "{{ lookup('password', '/dev/null') |password_hash('sha512') }}"
update_password: on_create
with_filetree: xx_pub_keys/
- name: copie des clés SSH
authorized_key:
user: "{{ item.path }}"
key: "{{ lookup('file', 'xx_pub_keys/' + item.path ) }}"
state: present
with_filetree: xx_pub_keys/
- name: droits repertoires
command:
chmod go-w /home/{{ user.path }} &&
chmod 700 /home/{{ user.path }} &&
chmod 644 /home/{{ user.path }}/.ssh/authorized_keys
- name: "Suppression des users eventuels"
user:
name: "{{ item.path }}"
state: absent
remove: true
with_filetree: xx_pub_remove/
- name: Allow admin users to sudo without a password
lineinfile:
dest: "/etc/sudoers"
state: "present"
regexp: "^%admin"
line: "%admin ALL=(ALL) NOPASSWD: ALL"
- name: restart sshd
service: name=ssh state=restarted ...
所以我在"目录权限"部分尝试了user.path、item.path、with_items的短项。。。我不知道。。。
简而言之,我赞成任何修正。
提前感谢
如果我查看任务
- name: droits repertoires
command:
chmod go-w /home/{{ user.path }} &&
chmod 700 /home/{{ user.path }} &&
chmod 644 /home/{{ user.path }}/.ssh/authorized_keys
如果稍后将权限绝对值设置为700,那么从其他组中删除写入权限是没有意义的。换句话说,第一个命令是多余的。
然后,如果存在用于该类任务的模块,则总是首选模块而不是命令。因此,在这里您使用文件模块2次,而不是命令模块:
- name: "check or change /home/{{ user.path }}"
file:
path: /home/{{ user.path }}
state: touch
mode: '700'
- name: "check or change /home/{{ user.path }}/.ssh/authorized_keys"
file:
path: /home/{{ user.path }}/.ssh/authorized_keys
state: touch
mode: '644'