{"id":281,"date":"2025-06-16T16:35:52","date_gmt":"2025-06-16T08:35:52","guid":{"rendered":"https:\/\/qkd.koudaipc.com\/?p=281"},"modified":"2026-01-27T21:20:44","modified_gmt":"2026-01-27T13:20:44","slug":"%e5%9c%a8-kpcos-%e7%82%8e%e5%b8%9d-1-01-%e4%b8%8a%e9%85%8d%e7%bd%ae-ansible-%e4%bd%bf%e7%94%a8-ssh-%e8%bf%9b%e8%a1%8c%e6%9c%8d%e5%8a%a1%e5%99%a8%e7%ae%a1%e7%90%86","status":"publish","type":"post","link":"https:\/\/qkd.koudaipc.com\/en\/2025\/06\/16\/%e5%9c%a8-kpcos-%e7%82%8e%e5%b8%9d-1-01-%e4%b8%8a%e9%85%8d%e7%bd%ae-ansible-%e4%bd%bf%e7%94%a8-ssh-%e8%bf%9b%e8%a1%8c%e6%9c%8d%e5%8a%a1%e5%99%a8%e7%ae%a1%e7%90%86\/","title":{"rendered":"\u5728 KPCOS\/\u708e\u5e1d 1.01 \u4e0a\u914d\u7f6e Ansible \u4f7f\u7528 SSH \u8fdb\u884c\u670d\u52a1\u5668\u7ba1\u7406"},"content":{"rendered":"

\u5728 KPCOS\/\u708e\u5e1d 1.01 \u4e0a\u914d\u7f6e Ansible \u4f7f\u7528 SSH \u8fdb\u884c\u670d\u52a1\u5668\u7ba1\u7406\u7684\u5b8c\u6574\u6307\u5357\u5982\u4e0b\uff1a<\/p>\n

\n

1. \u57fa\u7840\u73af\u5883\u51c6\u5907<\/h3>\n

\u63a7\u5236\u8282\u70b9\uff08\u7ba1\u7406\u673a\uff09<\/h4>\n
sudo apt update\nsudo apt install ansible sshpass -y  # \u5b89\u88c5 Ansible \u548c SSH \u5bc6\u7801\u5de5\u5177<\/code><\/pre>\n
\u88ab\u7ba1\u8282\u70b9\uff08\u76ee\u6807\u670d\u52a1\u5668\uff09<\/h4>\n
\u786e\u4fdd\u6240\u6709\u76ee\u6807\u670d\u52a1\u5668\uff1a<\/p>\n
    \n
  • \u5f00\u542f SSH \u670d\u52a1\uff08<code>sudo systemctl status ssh<\/code>\uff09<\/li>\n
  • \u6709\u53ef\u901a\u8fc7\u5bc6\u7801\u6216\u5bc6\u94a5\u767b\u5f55\u7684\u7ba1\u7406\u7528\u6237<\/li>\n<\/ul>\n
    \n
    2. SSH \u5bc6\u94a5\u914d\u7f6e\uff08\u63a8\u8350\u514d\u5bc6\u767b\u5f55\uff09<\/h3>\n
    \u751f\u6210\u5bc6\u94a5\u5bf9\uff08\u63a7\u5236\u8282\u70b9\uff09<\/h4>\n
    ssh-keygen -t ed25519 -f ~\/.ssh\/ansible_key  # \u66f4\u5b89\u5168\u7684\u5bc6\u94a5\u7c7b\u578b<\/code><\/pre>\n
    \u5206\u53d1\u516c\u94a5\u5230\u6240\u6709\u8282\u70b9<\/h4>\n
    # \u5355\u53f0\u670d\u52a1\u5668\u5206\u53d1\nssh-copy-id -i ~\/.ssh\/ansible_key.pub user@server_ip\n\n# \u6279\u91cf\u5206\u53d1\uff08\u9700\u5148\u914d\u7f6e\u597d\u6e05\u5355\u6587\u4ef6\uff09\nansible all -i inventory.ini -m ansible.builtin.authorized_key \\\n  -a &quot;user=your_user key=&#039;{{ lookup(&#039;file&#039;, &#039;~\/.ssh\/ansible_key.pub&#039;) }}&#039;&quot; \\\n  --ask-pass --ask-become-pass<\/code><\/pre>\n
    \n
    3. \u914d\u7f6e Ansible \u6e05\u5355\u6587\u4ef6<\/h3>\n
    \u521b\u5efa <code>inventory.ini<\/code>\uff1a<\/p>\n
    # \u5206\u7ec4\u5b9a\u4e49\u670d\u52a1\u5668\n[web_servers]\nweb1 ansible_host=192.168.1.10\nweb2 ansible_host=192.168.1.11\n\n[db_servers]\ndb1 ansible_host=192.168.1.20\n\n# \u5168\u5c40\u53d8\u91cf\uff08\u6240\u6709\u670d\u52a1\u5668\u751f\u6548\uff09\n[all:vars]\nansible_user=admin\nansible_ssh_private_key_file=~\/.ssh\/ansible_key\nansible_python_interpreter=\/usr\/bin\/python3<\/code><\/pre>\n
    \n
    4. \u6d4b\u8bd5 SSH \u8fde\u63a5<\/h3>\n
    # \u6d4b\u8bd5\u6240\u6709\u8282\u70b9\u8fde\u901a\u6027\nansible all -i inventory.ini -m ping\n\n# \u6d4b\u8bd5\u7279\u5b9a\u5206\u7ec4\nansible web_servers -i inventory.ini -m ping<\/code><\/pre>\n
    \u6210\u529f\u54cd\u5e94\u793a\u4f8b\uff1a<\/p>\n
    web1 | SUCCESS =&gt; {\n    &quot;changed&quot;: false,\n    &quot;ping&quot;: &quot;pong&quot;\n}<\/code><\/pre>\n
    \n
    5. \u914d\u7f6e SSH \u8fde\u63a5\u53c2\u6570\uff08\u53ef\u9009\uff09<\/h3>\n
    \u5728 <code>inventory.ini<\/code> \u4e2d\u6dfb\u52a0\u9ad8\u7ea7 SSH \u53c2\u6570\uff1a<\/p>\n
    [all:vars]\nansible_ssh_common_args=&#039;-o StrictHostKeyChecking=no -o ConnectTimeout=5&#039;\nansible_become=true          # \u9ed8\u8ba4\u4f7f\u7528 sudo\nansible_become_method=sudo   # \u63d0\u6743\u65b9\u5f0f\nansible_become_pass=your_sudo_password  # \u5bc6\u7801\uff08\u5efa\u8bae\u7528 vault \u52a0\u5bc6\uff09<\/code><\/pre>\n
    \n
    6. \u81ea\u5b9a\u4e49 SSH \u914d\u7f6e\uff08ansible.cfg\uff09<\/h3>\n
    \u521b\u5efa <code>ansible.cfg<\/code> \u6587\u4ef6\uff1a<\/p>\n
    [defaults]\ninventory = inventory.ini\nprivate_key_file = ~\/.ssh\/ansible_key\nhost_key_checking = False  # \u7981\u7528\u4e3b\u673a\u5bc6\u94a5\u9a8c\u8bc1\uff08\u6d4b\u8bd5\u73af\u5883\uff09\nlog_path = .\/ansible.log   # \u542f\u7528\u65e5\u5fd7\u8bb0\u5f55\n\n[ssh_connection]\nssh_args = -C -o ControlMaster=auto -o ControlPersist=60s\npipelining = True  # \u52a0\u901f\u6267\u884c<\/code><\/pre>\n
    \n
    7. \u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\u793a\u4f8b<\/h3>\n
    # \u83b7\u53d6\u6240\u6709\u670d\u52a1\u5668\u7684\u78c1\u76d8\u4fe1\u606f\nansible all -m shell -a &quot;df -h&quot;\n\n# \u91cd\u542f web \u670d\u52a1\u5668\u7ec4\nansible web_servers -m reboot --become<\/code><\/pre>\n
    \n
    8. \u521b\u5efa Playbook \u793a\u4f8b<\/h3>\n
    <code>basic_setup.yml<\/code>\uff1a<\/p>\n
    ---\n- name: Basic Server Setup\n  hosts: all\n  become: yes  # \u4f7f\u7528\u7279\u6743\n\n  tasks:\n    - name: Update apt cache\n      apt:\n        update_cache: yes\n\n    - name: Install essential packages\n      apt:\n        name:\n          - htop\n          - tmux\n          - net-tools\n        state: present\n\n    - name: Ensure SSH service is running\n      service:\n        name: ssh\n        state: started\n        enabled: yes<\/code><\/pre>\n
    \u8fd0\u884c Playbook\uff1a<\/p>\n
    ansible-playbook basic_setup.yml<\/code><\/pre>\n
    \n
    9. SSH \u8fde\u63a5\u95ee\u9898\u6392\u9519<\/h3>\n
    \u5e38\u89c1\u9519\u8bef\u89e3\u51b3\uff1a<\/h4>\n
      \n
    1. \n
      \u4e3b\u673a\u5bc6\u94a5\u9a8c\u8bc1\u5931\u8d25<\/strong>\uff1a<\/p>\n
      # \u624b\u52a8\u63a5\u53d7\u5bc6\u94a5\uff08\u4e34\u65f6\u65b9\u6848\uff09\nssh -i ~\/.ssh\/ansible_key user@host<\/code><\/pre>\n<\/li>\n
    2. \n
      \u6743\u9650\u88ab\u62d2\u7edd<\/strong>\uff1a<\/p>\n
        \n
      • \u786e\u8ba4\u76ee\u6807\u670d\u52a1\u5668 <code>\/etc\/ssh\/sshd_config<\/code> \u5305\u542b\uff1a\n
        PermitRootLogin no\nPasswordAuthentication no  # \u5bc6\u94a5\u767b\u5f55\u9700\u7981\u7528\u5bc6\u7801\nPubkeyAuthentication yes<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n
      • \n
        \u8fde\u63a5\u8d85\u65f6<\/strong>\uff1a<\/p>\n
        # \u5728 ansible.cfg \u589e\u52a0\u8d85\u65f6\u8bbe\u7f6e\n[ssh_connection]\ntimeout = 30<\/code><\/pre>\n<\/li>\n<\/ol>\n
        \n
        10. \u5b89\u5168\u589e\u5f3a\u63aa\u65bd<\/h3>\n
          \n
        1. \n
          \u4f7f\u7528 Ansible Vault \u52a0\u5bc6\u5bc6\u7801<\/strong>\uff1a<\/p>\n
          ansible-vault create secrets.yml<\/code><\/pre>\n
          \u5728 Playbook \u4e2d\u5f15\u7528\uff1a<\/p>\n
          vars_files:\n - secrets.yml<\/code><\/pre>\n<\/li>\n
        2. \n
          \u9650\u5236 SSH \u8bbf\u95ee<\/strong>\uff1a<\/p>\n
          - name: Secure SSH config\n template:\n   src: sshd_config.j2\n   dest: \/etc\/ssh\/sshd_config\n notify: Restart SSH<\/code><\/pre>\n<\/li>\n
        3. \n
          \u5b9a\u671f\u8f6e\u6362\u5bc6\u94a5<\/strong>\uff1a<\/p>\n
          # \u91cd\u65b0\u751f\u6210\u5e76\u5206\u53d1\u5bc6\u94a5\u7684 Playbook\n- name: Rotate SSH keys\n hosts: all\n tasks:\n   - name: Generate new key\n     openssh_keypair:\n       path: ~\/.ssh\/new_key\n       type: ed25519\n   - name: Deploy new key\n     authorized_key: ...<\/code><\/pre>\n<\/li>\n<\/ol>\n
          \n
          \u6700\u7ec8\u9a8c\u8bc1\uff1a<\/h3>\n
          ansible all -m setup  # \u6536\u96c6\u6240\u6709\u8282\u70b9\u7cfb\u7edf\u4fe1\u606f\nansible web_servers -m service -a &quot;name=nginx state=started&quot; --become<\/code><\/pre>\n
          \u6b64\u914d\u7f6e\u53ef\u5b9e\u73b0\uff1a<\/p>\n
            \n
          • \u2705 \u57fa\u4e8e\u5bc6\u94a5\u7684\u5b89\u5168 SSH \u8fde\u63a5<\/li>\n
          • \u2705 \u5206\u7ec4\u670d\u52a1\u5668\u7ba1\u7406<\/li>\n
          • \u2705 \u7279\u6743\u64cd\u4f5c\u652f\u6301<\/li>\n
          • \u2705 \u8be6\u7ec6\u65e5\u5fd7\u8bb0\u5f55<\/li>\n
          • \u2705 \u4f01\u4e1a\u7ea7\u5b89\u5168\u5b9e\u8df5<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
            \u5728 KPCOS\/\u708e\u5e1d 1.01 \u4e0a\u914d\u7f6e Ansible \u4f7f\u7528 SSH \u8fdb\u884c\u670d\u52a1\u5668\u7ba1\u7406\u7684\u5b8c\u6574\u6307\u5357\u5982\u4e0b\uff1a 1. \u57fa […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pmpro_default_level":"","footnotes":""},"categories":[23],"tags":[],"class_list":["post-281","post","type-post","status-publish","format-standard","hentry","category-kpcos","pmpro-has-access"],"_links":{"self":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts\/281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/comments?post=281"}],"version-history":[{"count":2,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts\/281\/revisions"}],"predecessor-version":[{"id":418,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/posts\/281\/revisions\/418"}],"wp:attachment":[{"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/media?parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/categories?post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qkd.koudaipc.com\/en\/wp-json\/wp\/v2\/tags?post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}