a tomato

トマトが大好きです

ansibleを使うためのssh周りの設定

ansibleを使う時に必要なsshの設定です。

SSH用の公開/秘密鍵生成

兎にも角にもまずは、鍵認証によるログインが必要ですので、 公開鍵と秘密鍵を作成します。

% ssh-keygen -t rsa -b 4096                        
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/kzdev/.ssh/id_rsa): /Users/kzdev/.ssh/iscdhcp/id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/kzdev/.ssh/iscdhcp/id_rsa.
Your public key has been saved in /Users/kzdev/.ssh/iscdhcp/id_rsa.pub.
The key fingerprint is:
SHA256:mQUfAGwyCJ68bFD9gQvkozUTZNiPZyhiTknP5+Wgr4s kzdev@MacBook-Pro
The key's randomart image is:
+---[RSA 4096]----+
|.**o o..o..      |
|+==.= +  o .     |
|o+X= * .  o      |
|=*+*=o.. +       |
|*= o+ + S        |
|.. . . .         |
|    .            |
|  .  .           |
| E oo            |
+----[SHA256]-----+
公開鍵を構築対象サーバに登録

作成した公開鍵を構築対象となるサーバに登録します。

% ssh-copy-id -i  /Users/kzdev/.ssh/iscdhcp/id_rsa.pub  root@10.211.55.6          
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/kzdev/.ssh/iscdhcp/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.211.55.6's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'root@10.211.55.6'"
and check to make sure that only the key(s) you wanted were added.
SSH接続確認

パスワード入力無しでSSH接続が可能となることを確認します。

% ssh -i /Users/kzdev/.ssh/iscdhcp/id_rsa root@10.211.55.6            
Last login: Sat Aug  4 01:34:38 2018 from 10.211.55.2
[root@localhost ~]# 
構築対象側のSSH設定

これで最低限の準備は整いましたが、基本は鍵認証でログインするのでパスワード認証をOFFにします。セキュリティ観点においても、パスワード認証は様々な脆弱性に晒されるので、やはりオフにしておいた方が良いと思います。

[root@localhost ~]# sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
[root@localhost ~]# sed -i -e 's/^ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config