linux Ansible -禁用ssh密码身份验证

5jvtdoz2  于 2022-11-02  发布在  Linux
关注(0)|答案(2)|浏览(159)

我正在尝试创建一个可以正确处理sshd_config的任务。我在其他问题中找到了类似的正则表达式,但它们什么也不做。

name: Disable SSH password authentication
      become: true
      lineinfile:
        dest: /etc/ssh/sshd_config
        regexp: '^#?\s*PasswordAuthentication\s'
        line: 'PasswordAuthentication no'
        state: present

问题是它应该处理重复的车道和评论。

  • 可能有:
PasswordAuthentication no
PasswordAuthentication yes

PasswordAuthentication no
PasswordAuthentication no

PasswordAuthentication yes
PasswordAuthentication yes

PasswordAuthentication no
#PasswordAuthentication no

PasswordAuthentication no
# PasswordAuthentication no

# PasswordAuthentication no
# PasswordAuthentication no

但是我只想有一个未注解的行PasswordAuthentication no
这可能吗?

tktrz96b

tktrz96b1#

Q:"* 处理重复行和注解...具有单个未注解行PasswordAuthentication no*"
A:根据文件列表

my_files:
      - sshd_config.0
      - sshd_config.1
      - sshd_config.2
      - sshd_config.3
      - sshd_config.4
      - sshd_config.5

并且内容

shell> for f in files-17/*; do printf "\n%s\n" $f; cat $f; done

files-17/sshd_config.0
PasswordAuthentication no
PasswordAuthentication yes

files-17/sshd_config.1
PasswordAuthentication no
PasswordAuthentication no

files-17/sshd_config.2
PasswordAuthentication yes
PasswordAuthentication yes

files-17/sshd_config.3
PasswordAuthentication no
#PasswordAuthentication no

files-17/sshd_config.4
PasswordAuthentication no
# PasswordAuthentication no

files-17/sshd_config.5
# PasswordAuthentication no
# PasswordAuthentication no

以下任务将删除除第一行(包含 PasswordAuthentication)以外的所有行

- replace:
        path: 'files-17/{{ item }}'
        after: 'PasswordAuthentication'
        regexp: '^(.*)PasswordAuthentication(.*)$'
        replace: ''
      loop: "{{ my_files }}"

给予

shell> for f in files-17/*; do printf "\n%s\n" $f; cat $f; done

files-17/sshd_config.0
PasswordAuthentication no

files-17/sshd_config.1
PasswordAuthentication no

files-17/sshd_config.2
PasswordAuthentication yes

files-17/sshd_config.3
PasswordAuthentication no

files-17/sshd_config.4
PasswordAuthentication no

files-17/sshd_config.5
# PasswordAuthentication no

下一个任务用 PasswordAuthentication no 替换这些行

- lineinfile:
        path: 'files-17/{{ item }}'
        regexp: '^(.*)PasswordAuthentication(.*)$'
        line: 'PasswordAuthentication no'
      loop: "{{ my_files }}"

给予

shell> for f in files-17/*; do printf "\n%s\n" $f; cat $f; done

files-17/sshd_config.0
PasswordAuthentication no

files-17/sshd_config.1
PasswordAuthentication no

files-17/sshd_config.2
PasswordAuthentication no

files-17/sshd_config.3
PasswordAuthentication no

files-17/sshd_config.4
PasswordAuthentication no

files-17/sshd_config.5
PasswordAuthentication no

任务的顺序是幂等的。

6ie5vjzr

6ie5vjzr2#

使用ansible尝试此操作

- name: Disallow SSH password authentication
    lineinfile:
      dest=/etc/ssh/sshd_config
      regexp="^PasswordAuthentication"
      line="PasswordAuthentication no"
      state=present
    notify:
      - restart sshd

相关问题