git 源代码管理中的 Ansible SSH 私钥?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29392369/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Ansible SSH private key in source control?
提问by Alejandro Ricoveri
I have been developing an Ansible playbook for a couple of weeks, therefore, my experience with such technology is relatively short. Part of my strategy includes using a custom ansible_ssh_userfor provisioning hosts throughout the inventory, however, such user will need its own SSH key pair, which would involve some sort of a plan for holding/storing its correspondent private key. On a production environment, this playbook would be cloned/pulled and run inside a certain playbook nodewhose role is to provision the rest of the infrastructure.
我已经开发 Ansible playbook 几个星期了,因此,我对这种技术的经验相对较短。我的部分策略包括ansible_ssh_user在整个清单中使用自定义配置主机,但是,此类用户将需要自己的 SSH 密钥对,这将涉及某种持有/存储其对应私钥的计划。在生产环境中,该剧本将被克隆/拉取并在某个剧本节点内运行,该节点的作用是提供基础设施的其余部分。
At first, I was thinking to just put that private key inside the playbook git repository, but I am having second thoughts about it nonetheless, mostly because of somewhat obvious security reasons and common sense around it, hence the reason I need to consult you about this matter.
起初,我只是想把那个私钥放在剧本 git 存储库中,但我对它有第二个想法,主要是因为一些明显的安全原因和周围的常识,因此我需要咨询你的原因这件事。
With this set on the table, here are the follow-up questions:
有了这个设置,以下是后续问题:
- In an Ansible-based development environment, is it sane/reasonable to hold a private SSH key in source control?
- Would this practice be advised only for development environmentswhereas another local git branch inside the playbook nodewould be then used to hold the actual production SSH private key?
- Would it be better to address this case scenario via Ansible Vault instead?, I have not ever used this before, but regardless of that I cannot yet tell whether this would be a proper case for using it.
- In your experience, what would be your approach around this in a production environment?, what would it be considered as the best practice in this particular scenario?
- 在基于 Ansible 的开发环境中,在源代码控制中持有私有 SSH 密钥是否合理/合理?
- 这种做法是否仅适用于开发环境,而剧本节点内的另一个本地 git 分支将用于保存实际的生产 SSH 私钥?
- 通过 Ansible Vault 解决这种情况会更好吗?,我以前从未使用过它,但无论如何我还不能确定这是否是使用它的合适案例。
- 根据您的经验,您在生产环境中会采用什么方法来解决这个问题?在这种特定场景中,它会被视为最佳实践吗?
回答by Ben Whaley
It's a bad idea to store any kind of plaintext secret in revision control, SSH private keys included. Instead, use ansible-vault to store the private key.
在修订控制中存储任何类型的明文秘密都是一个坏主意,包括 SSH 私钥。相反,使用 ansible-vault 来存储私钥。
ansible-vaultcan operate on any file type. Just encrypt the file with
ansible-vault可以对任何文件类型进行操作。只需加密文件
ansible-vault encrypt /path/to/local/private_key
then install the key:
然后安装密钥:
- name: Install a private SSH key
vars:
source_key: /path/to/local/private_key
dest_key: /path/to/remote/private_key
tasks:
- name: Ensure .ssh directory exists.
file:
dest: "{{ dest_key | dirname }}"
mode: 0700
owner: user
state: directory
- name: Install ssh key
copy:
src: "{{ source_key }}"
dest: "{{ dest_key }}"
mode: 0600
owner: user
Earlier versions of ansible-vault would only operate on variables defined in var files, so you had to do something like this:
早期版本的 ansible-vault 只会对 var 文件中定义的变量进行操作,因此您必须执行以下操作:
ssh_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
key_file: /home/user/.ssh/id_rsa
Encrypt with ansible-vault:
使用 ansible-vault 加密:
ansible-vault encrypt /path/to/var_file
And install the key:
并安装密钥:
- name: Ensure .ssh directory exists.
file:
dest: "{{ key_file | dirname }}"
mode: 0700
owner: user
state: directory
- name: Install ssh key
copy:
content: "{{ ssh_key }}"
dest: "{{ key_file }}"
mode: 0600
owner: user
Thanks to all those below who improved the answer with their comments.
感谢以下所有通过评论改进答案的人。
回答by gmoon
Since you are provisioning from scratch, you should generatethe private/public key pair on the playbook nodeand then distribute the public key via the authorized_keysmodule. This would eliminate the need to store a secret anywhere except on the host where it is needed. Here is a playbook to achieve this, which would be executed on the playbook node:
由于您是从头开始配置,您应该在playbook 节点上生成私钥/公钥对,然后通过模块分发公钥。这将消除在需要它的主机上以外的任何地方存储秘密的需要。这是实现此目的的剧本,它将在剧本节点上执行:authorized_keys
---
- hosts: 127.0.0.1
sudo: yes
gather_facts: no
tasks:
- name: create ansible_ssh_user locally
user: name=ansible_ssh_user generate_ssh_key=yes ssh_key_bits=2048 ssh_key_file=.ssh/id_rsa
- name: copy the generated public key to an accessible location for the next play
shell: cp ~ansible_ssh_user/.ssh/id_rsa.pub /tmp/ansible_ssh_user.pub
- hosts: all
sudo: yes
gather_facts: no
tasks:
- name: create ansible_ssh_user
user: name=ansible_ssh_user groups=group1,group2
- name: Add RSA public key to the remote host
authorized_key: user=ansible_ssh_user key="{{ lookup('file', '/tmp/ansible_ssh_user.pub') }}"
- hosts: 127.0.0.1
sudo: yes
gather_facts: no
tasks:
- name: remove public key from /tmp
shell: rm /tmp/ansible_ssh_user.pub
...
