ansibleを使うためのssh周りの設定
ansibleを使う時に必要なsshの設定です。
SSH用の公開/秘密鍵生成
兎にも角にもまずは、鍵認証によるログインが必要ですので、 公開鍵と秘密鍵を作成します。
% ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/Users/kzdev/.ssh/id_rsa): /Users/kzdev/.ssh/iscdhcp/id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/kzdev/.ssh/iscdhcp/id_rsa. Your public key has been saved in /Users/kzdev/.ssh/iscdhcp/id_rsa.pub. The key fingerprint is: SHA256:mQUfAGwyCJ68bFD9gQvkozUTZNiPZyhiTknP5+Wgr4s kzdev@MacBook-Pro The key's randomart image is: +---[RSA 4096]----+ |.**o o..o.. | |+==.= + o . | |o+X= * . o | |=*+*=o.. + | |*= o+ + S | |.. . . . | | . | | . . | | E oo | +----[SHA256]-----+
公開鍵を構築対象サーバに登録
作成した公開鍵を構築対象となるサーバに登録します。
% ssh-copy-id -i /Users/kzdev/.ssh/iscdhcp/id_rsa.pub root@10.211.55.6 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/kzdev/.ssh/iscdhcp/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@10.211.55.6's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@10.211.55.6'" and check to make sure that only the key(s) you wanted were added.
SSH接続確認
パスワード入力無しでSSH接続が可能となることを確認します。
% ssh -i /Users/kzdev/.ssh/iscdhcp/id_rsa root@10.211.55.6 Last login: Sat Aug 4 01:34:38 2018 from 10.211.55.2 [root@localhost ~]#
構築対象側のSSH設定
これで最低限の準備は整いましたが、基本は鍵認証でログインするのでパスワード認証をOFFにします。セキュリティ観点においても、パスワード認証は様々な脆弱性に晒されるので、やはりオフにしておいた方が良いと思います。
[root@localhost ~]# sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config [root@localhost ~]# sed -i -e 's/^ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config