Windows
Ansible 在 Windows 上創建使用者,將“.EC2AMAZ-ELNOCH3”附加到使用者名
我使用 Packer 創建了一個 Windows Server 2019 AMI,並將 Ansible 作為配置器。
我添加了一個使用者
jenkins,並將 SSH 文件(公鑰/私鑰、known_hosts、authorized_keys)複製到C:\Users\jenkins\.ssh.這是我的 Ansible 劇本的相關部分:
- name: Ensure user jenkins is present ansible.windows.win_user: name: jenkins password: ***REDACTED*** state: present groups: - Users - name: Create directory structure ansible.windows.win_file: path: C:\Temp\ state: directory - name: Allow write and execute access to User jenkins ansible.windows.win_acl: user: jenkins path: C:\Temp type: allow rights: ExecuteFile,Write - name: Copy SSH keys ansible.windows.win_copy: src: ./files/.ssh dest: C:\Users\jenkins vars: ansible_become_user: jenkins ansible_become_password: ***REDACTED*** # The tmp dir must be set when using win_copy as another user # This ensures the become user will have permissions for the operation # Make sure to specify a folder both the ansible_user and the become_user have access to (i.e not %TEMP% which is user specific and requires Admin) ansible_remote_tmp: C:\Temp我從這個 AMI 啟動一個 EC2 實例。
我使用 ssh 登錄:
ssh -i ~/.ssh/***REDACTED***.pem jenkins@ec2-***REDACTED***.compute.amazonaws.com -vvv我沒有使用 SSH 密鑰登錄,但我可以使用密碼登錄。
這是 SSH 調試日誌:
debug3: load_hostkeys: loaded 1 keys from ***REDACTED*** debug1: Host 'ec2-***REDACTED***.compute.amazonaws.com' is known and matches the ECDSA host key. debug1: Found key in /home/amedee/.ssh/known_hosts:161 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/amedee/.ssh/***REDACTED***.pem explicit debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /home/amedee/.ssh/***REDACTED***.pem debug3: sign_and_send_pubkey: RSA SHA256:3OWWXRDheAUWZ9kxRiSJPvwFy1/Nh3//CdbLirDuFSM debug3: sign_and_send_pubkey: signing using rsa-sha2-512 SHA256:3OWWXRDheAUWZ9kxRiSJPvwFy1/Nh3//CdbLirDuFSM debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: Next authentication method: password jenkins@***REDACTED***.compute.amazonaws.com's password:然後我以這種方式受到 Windows 的歡迎:
Microsoft Windows [Version 10.0.17763.1637] (c) 2018 Microsoft Corporation. All rights reserved. jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>所以我沒有以 user 身份登錄,
jenkins而是以 user身份登錄jenkins.EC2AMAZ-ELNOCH3。
jenkins還存在一個使用者:jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>dir .. Volume in drive C has no label. Volume Serial Number is E43B-9F7E Directory of C:\Users 12/11/2020 02:19 PM <DIR> . 12/11/2020 02:19 PM <DIR> .. 12/11/2020 01:51 PM <DIR> Administrator 12/11/2020 02:02 PM <DIR> jenkins 12/11/2020 02:22 PM <DIR> jenkins.EC2AMAZ-ELNOCH3 12/12/2018 07:45 AM <DIR> Public 0 File(s) 0 bytes 6 Dir(s) 12,552,163,328 bytes free它有我使用 Ansible 複製的 SSH 文件:
jenkins@EC2AMAZ-ELNOCH3 C:\Users\jenkins.EC2AMAZ-ELNOCH3>dir ..\jenkins\.ssh Volume in drive C has no label. Volume Serial Number is E43B-9F7E Directory of C:\Users\jenkins\.ssh 12/11/2020 02:02 PM <DIR> . 12/11/2020 02:02 PM <DIR> .. 11/13/2020 10:57 AM 1,221 authorized_keys 11/13/2020 10:57 AM 1,675 id_rsa 11/13/2020 10:57 AM 401 id_rsa.pub 11/13/2020 10:57 AM 7,962 known_hosts 4 File(s) 11,259 bytes 2 Dir(s) 12,552,081,408 bytes free當我嘗試使用附加到使用者名的 SSH 連接時
.EC2AMAZ-ELNOCH3,我無法使用密碼登錄:ssh -i ~/.ssh/***REDACTED***.pem jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com -vvv . . . debug1: Next authentication method: password jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. jenkins.EC2AMAZ-ELNOCH3@ec2-***REDACTED***.compute.amazonaws.com's password:當我以 user 身份登錄時
jenkins.EC2AMAZ-ELNOCH3,我將文件複製C:\Users\jenkins\.ssh\到C:\Users\jenkins.EC2AMAZ-ELNOCH3\.ssh\並斷開連接。下次我使用 SSH 登錄時,可以無密碼登錄,這證明我的 SSH 密鑰是正確的,但在錯誤的目錄中。我不希望這個使用者
jenkins.EC2AMAZ-ELNOCH3存在。如何確保只有使用者jenkins存在?僅供參考,我只熟悉 Linux,所以如果您的答案包含高級 Windows 術語,請詳細說明。我使用的最後一個 Windows 版本是 Windows 3.11。這也是我第一次使用 Ansible 做任何事情,但我非常有信心了解它的要點。
使用community.windows.win_user_profile – 管理 Windows 使用者配置文件。創建使用者後立即創建主目錄,然後才複製文件。
這是在 Ansible 中執行此操作的方法:
- name: Ensure user jenkins is present ansible.windows.win_user: name: jenkins password: ***REDACTED*** state: present groups: - Users - name: Create a profile for user jenkins at C:\Users\jenkins community.windows.win_user_profile: username: jenkins name: jenkins state: present - name: Create directory structure ansible.windows.win_file: path: C:\Temp\ state: directory - name: Allow write and execute access to User jenkins ansible.windows.win_acl: user: jenkins path: C:\Temp type: allow rights: ExecuteFile,Write - name: Copy SSH keys ansible.windows.win_copy: src: ./files/.ssh dest: C:\Users\jenkins vars: ansible_become_user: jenkins ansible_become_password: ***REDACTED*** # The tmp dir must be set when using win_copy as another user # This ensures the become user will have permissions for the operation # Make sure to specify a folder both the ansible_user and the become_user have access to (i.e not %TEMP% which is user specific and requires Admin) ansible_remote_tmp: C:\Temp
jenkins@EC2AMAZ-ELNOCH3表示您以機器jenkins上的使用者身份登錄。表示 Windows 在登錄時發現該文件夾已經存在,但對使用者來說不是正確的;因此 Windows 必須創建一個新的使用者配置文件文件夾。EC2AMAZ-ELNOCH3
C:\Users\jenkins.EC2AMAZ-ELNOCH3``C:\Users\jenkins``jenkins如果您使用稱為
bar本地使用者帳戶的電腦登錄foo,您的預設使用者配置文件文件夾將是C:\Users\foo;但是如果這個文件夾已經存在並且 Windows 無法將其映射到實際的使用者帳戶(無論出於何種原因),它將創建一個新的;為了繞過重複的文件夾名稱,Windows 會將機器名稱附加到它,因此新的使用者配置文件文件夾將被稱為C:\users\foo.bar.這與使用者名無關,仍然是肯定的
foo。至於發生這種情況的原因,我不知道。但這是具有重複使用者配置文件文件夾的標準 Windows 行為。