Ansible 2.3和Cisco IOS SSH密钥验证
Ansible版本:2.3.2.0 的paramiko版本:2.2.1Ansible 2.3和Cisco IOS SSH密钥验证
试图让Ansible反对使用SSH RSA密钥验证的基于IOS的思科交换机的工作。
新增私钥开关:
ip ssh pubkey-chain
key-hash ssh-rsa 090A4713055CB0CBE097FFF2FFC8065B [email protected]
验证SSHv2协议和密钥:
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqIKfBqGXuVdv0TbDT6fsPXC+zQ0/aeXBowhrgt4iV
b43PtLxIxZgJaw+Ubc8QJ1pMToK+pABZnub4xbtTR8WoMDh5ruL1XRIDhPxc38DQ5YNfTalyUGL2rlXJ
mZMeRWZ3R0NS6crat/ehC+vTl815yqbyEC7YWIVrRwfnDa2bjAD4ZB+i4E5zqAG1FqduW89h2jZmu7ww
icOnjAg16nOUiI8QJdbsBue6zepcX+uWCTLb4ZBZsCTRfjqt7O/HVEDl9U0K7D4/d6lLijagsozVXYaZ
wQSjlQ6FqXlgplo8rtFAMtH/SHr0ndfejeJmcp2+WRrZnMfMLCmLZNUHumAH
我有connection: local
集:
- hosts: ios
gather_facts: no
connection: local
roles:
- cisco_switch
这里是我的供应商瓦尔:
cli:
host: "{{ inventory_hostname }}"
username: root
authorize: yes
auth_pass: ansible
这里是我试图执行实际任务:
- name: System Settings
ios_system:
provider: "{{ cli }}"
hostname: "{{ inventory_hostname }}"
domain_name: homelab.lan
domain_search:
- homelab.lan
name_servers:
- ns1.homelab.lan
验证我可以使用ssh-agent
登录并使用ssh [email protected]
手动然而,关键的,运行剧本失败,出现以下:
2017-08-16 13:51:27,483 p=1524 u=root | 1533 1502891487.48368: starting attempt loop
2017-08-16 13:51:27,483 p=1524 u=root | 1533 1502891487.48382: running the handler
2017-08-16 13:51:27,484 p=1524 u=root | 1533 1502891487.48477: Loading Connection 'persistent' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/persistent.py
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48505: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48520: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48534: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48551: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48565: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,486 p=1524 u=root | 1533 1502891487.48620: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True)
2017-08-16 13:51:27,874 p=1534 u=root | 1534 1502891487.87418: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True)
2017-08-16 13:51:27,886 p=1534 u=root | creating new control socket for host c3750e.homelab.lan:22 as user root
2017-08-16 13:51:27,886 p=1534 u=root | control socket path is /root/.ansible/pc/b7f0dc1e86
2017-08-16 13:51:27,886 p=1534 u=root | current working directory is /root/infra_playbook
2017-08-16 13:51:27,887 p=1534 u=root | using connection plugin network_cli
1542 1502891487.94495: Loading Connection 'network_cli' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py
2017-08-16 13:51:27,945 p=1534 u=root | 1542 1502891487.94495: Loading Connection 'network_cli' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py
1542 1502891487.94620: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py
2017-08-16 13:51:27,946 p=1534 u=root | 1542 1502891487.94620: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py
1542 1502891487.94650: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py
2017-08-16 13:51:27,946 p=1534 u=root | 1542 1502891487.94650: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py
1542 1502891487.94694: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py
2017-08-16 13:51:27,946 p=1534 u=root | 1542 1502891487.94694: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py
1542 1502891487.94714: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py
2017-08-16 13:51:27,947 p=1534 u=root | 1542 1502891487.94714: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py
1542 1502891487.94740: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,947 p=1534 u=root | 1542 1502891487.94740: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,978 paramiko.transport starting thread (client mode): 0x2d7f8d0L
2017-08-16 13:51:27,978 paramiko.transport Local version/idstring: SSH-2.0-paramiko_2.2.1
2017-08-16 13:51:27,980 paramiko.transport Remote version/idstring: SSH-2.0-Cisco-1.25
2017-08-16 13:51:27,980 paramiko.transport Connected (version 2.0, client Cisco-1.25)
2017-08-16 13:51:27,985 paramiko.transport kex algos:[u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1', u'diffie-hellman-group1-sha1'] server key:[u'ssh-rsa'] client encrypt:[u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] server encrypt:[u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] client mac:[u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96'] server mac:[u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96'] client compress:[u'none'] server compress:[u'none'] client lang:[u''] server lang:[u''] kex follows?False
2017-08-16 13:51:27,985 paramiko.transport Kex agreed: diffie-hellman-group-exchange-sha1
2017-08-16 13:51:27,985 paramiko.transport HostKey agreed: ssh-rsa
2017-08-16 13:51:27,985 paramiko.transport Cipher agreed: aes128-cbc
2017-08-16 13:51:27,985 paramiko.transport MAC agreed: hmac-sha1
2017-08-16 13:51:27,985 paramiko.transport Compression agreed: none
2017-08-16 13:51:27,991 paramiko.transport Got server p (2048 bits)
2017-08-16 13:51:29,278 paramiko.transport kex engine KexGex specified hash_algo <built-in function openssl_sha1>
2017-08-16 13:51:29,279 paramiko.transport Switch to new keys ...
2017-08-16 13:51:29,281 paramiko.transport Trying discovered key 090a4713055cb0cbe097fff2ffc8065b in /root/.ssh/id_rsa
2017-08-16 13:51:29,482 paramiko.transport userauth is OK
2017-08-16 13:51:29,489 paramiko.transport Exception: Illegal info request from server
2017-08-16 13:51:29,490 paramiko.transport Traceback (most recent call last):
2017-08-16 13:51:29,490 paramiko.transport File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1860, in run
2017-08-16 13:51:29,490 paramiko.transport handler(self.auth_handler, m)
2017-08-16 13:51:29,490 paramiko.transport File "/usr/lib/python2.7/site-packages/paramiko/auth_handler.py", line 624, in _parse_userauth_info_request
2017-08-16 13:51:29,490 paramiko.transport raise SSHException('Illegal info request from server')
2017-08-16 13:51:29,490 paramiko.transport SSHException: Illegal info request from server
2017-08-16 13:51:29,490 paramiko.transport
2017-08-16 13:51:29,497 p=1534 u=root | connecting to host c3750e.homelab.lan returned an error
2017-08-16 13:51:29,497 p=1534 u=root | Illegal info request from server
2017-08-16 13:51:57,896 p=1534 u=root | number of connection attempts exceeded, unable to connect to control socket
2017-08-16 13:51:57,896 p=1534 u=root | persistent_connect_interval=1, persistent_connect_retries=30
2017-08-16 13:51:57,912 p=1524 u=root | open_shell() returned 255 1534 1502891487.87418: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True)
failed to connect to control socket
2017-08-16 13:51:57,912 p=1524 u=root | 1533 1502891517.91286: handler run complete
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91303: attempt loop complete, returning result
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91316: _execute() done
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91328: dumping result to json
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91342: done dumping result, returning
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91358: done running TaskExecutor() for c3750e.homelab.lan/TASK: cisco_switch : System Settings [c6e4c8ff-dea8-390a-92f3-00000000004d]
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91377: sending task result for task c6e4c8ff-dea8-390a-92f3-00000000004d
2017-08-16 13:51:57,914 p=1524 u=root | 1533 1502891517.91418: done sending task result for task c6e4c8ff-dea8-390a-92f3-00000000004d
2017-08-16 13:51:57,914 p=1524 u=root | 1533 1502891517.91430: WORKER PROCESS EXITING
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91541: marking c3750e.homelab.lan as failed
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91562: marking host c3750e.homelab.lan failed, current state: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_TASKS, fail_state=FAILED_NONE, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91574:^failed state is now: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_COMPLETE, fail_state=FAILED_TASKS, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91585: getting the next task for host c3750e.homelab.lan
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91596: host c3750e.homelab.lan is done iterating, returning
2017-08-16 13:51:57,916 p=1524 u=root | fatal: [c3750e.homelab.lan]: FAILED! => {
"changed": false,
"failed": true,
"msg": "unable to open shell. Please see: https://docs.ansible.com/ansible/network_debug_troubleshooting.html#unable-to-open-shell",
"rc": 255
}
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91630: no more pending results, returning what we have
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91641: results queue empty
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91651: checking for any_errors_fatal
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91661: done checking for any_errors_fatal
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91670: checking for max_fail_percentage
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91679: done checking for max_fail_percentage
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91688: checking to see if all hosts have failed and the running result is not ok
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91697: done checking to see if all hosts have failed
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91706: getting the remaining hosts for this loop
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91717: done getting the remaining hosts for this loop
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91729: building list of next tasks for hosts
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91738: getting the next task for host c3750e.homelab.lan
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91748: host c3750e.homelab.lan is done iterating, returning
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91757: done building task lists
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91766: counting tasks in each state of execution
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91775: done counting tasks in each state of execution:
num_setups: 0
num_tasks: 0
num_rescue: 0
num_always: 0
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91785: all hosts are done, so returning None's for all hosts
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91795: done queuing things up, now waiting for results queue to drain
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91804: results queue empty
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91813: checking for any_errors_fatal
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91822: done checking for any_errors_fatal
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91830: checking for max_fail_percentage
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91839: done checking for max_fail_percentage
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91848: checking to see if all hosts have failed and the running result is not ok
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91857: done checking to see if all hosts have failed
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91869: getting the next task for host c3750e.homelab.lan
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91879: host c3750e.homelab.lan is done iterating, returning
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91888: running handlers
2017-08-16 13:51:57,920 p=1524 u=root | to retry, use: --limit @/root/infra_playbook/site.retry
2017-08-16 13:51:57,920 p=1524 u=root | PLAY RECAP ***************************************************************************************************************************
2017-08-16 13:51:57,921 p=1524 u=root | c3750e.homelab.lan : ok=0 changed=0 unreachable=0 failed=1
2017-08-16 13:51:57,921 p=1524 u=root | 1524 1502891517.92111: RUNNING CLEANUP
尝试了各种修复程序,其中包括Ansible的Network Debug and Troubleshooting指南,但没有任何一个工作正常。试图改变提供商VAR到transport: ssh
和transport: cli
没有它的工作。
在您的IOS Config中,你有没有下ip ssh pubkey-chain
部分配置username
?另外,我也想了解为什么需要connection: local
。
这是我会怎么做自己:
添加此到ansible hosts文件因德尔组[IOS]
ansible_python_interpreter=/usr/local/bin/python2.7 # or the path to python
ansible_ssh_pass=[the sudo user or root password]
ansible_connection = local
port=22
在您ansible.cfg:
private_key_file = /path/.ssh/known_hosts
host_key_checking = False
host_key_auto_add = True
简化你的剧本和依赖:
---
- hosts: ios
gather_facts: no
connection: local
tasks:
- name: obtain login credentials
include_vars: secrets.yml
- name: define provider
set_fact:
provider:
host: "{{ inventory_hostname }}"
username: "{{ creds['username'] }}"
password: "{{ creds['password'] }}"
transport: cli
- include: tasks/main.yml
个
secrets.yml
---
creds:
username: the_username
password: 'the_password'
任务/ main.yml
---
- name: DNS System Settings
ios_config:
lines:
- ip domain-name homelab.lan
- ip name-server ns1.homelab.lan
provider: "{{ provider }}"
$ ansible --version ansible 2.4.0.0
这为我工作: 剧本:
---
- hosts: device.r1
gather_facts: yes
connection: local
ignore_errors: yes
tasks:
- name: Load {{ inventory_hostname }} vars file
include_vars: host_vars/{{ inventory_hostname }}.yml
- name: obtain login credentials
include_vars: ../auth/user.yml
- name: define authentication provider
set_fact:
provider:
host: "{{ inventory_hostname }}"
username: "{{ creds['username'] }}"
ssh_keyfile: "{{ creds['ssh_keyfile'] }}"
- name: Gather Facts
vyos_facts:
gather_subset: all
provider: "{{ creds }}"
register: vyos_response
- name: version
debug: msg="{{ vyos_response.ansible_facts.ansible_net_version }}"
对于../auth/user。YML:
---
creds:
username: ansible_user
ssh_keyfile: /home/ansible_user/.ssh/id_rsa_ansible_user
我会给这个镜头并报告回来。 – Patrick
每[文档】(http://docs.ansible.com/ansible/latest/network_debug_troubleshooting.html#error-invalid-connection-specified-expected-connection-local-got-ssh),网络模块需要'连接:本地'(至少,这是我能找到的)。该交换机在'ip ssh pubkey-chain'条目下有'username root' – Patrick