# [VERT] Estabelecendo relação de confiança usando Ansible e Python - SSH Todos os comandos devem ser executados da maquina de gerencia # Pre-requisito Git ```bash= cd cd vert_suporte/ Python [root@sofia031 tools]# python -V Python 2.7.5 Ansible [root@sofia031 ~]# ansible --version ansible 2.10.6.post0 config file = None configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/site-packages/ansible_base-2.10.6.post0-py2.7.egg/ansible executable location = /bin/ansible python version = 2.7.5 (default, Aug 13 2020, 02:51:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] [root@sofia031 ~]# export ANSIBLE_HOST_KEY_CHECKING=False Trocar chave de usuário comum - Python 1 - Criar chaves ssh - root: [root@sofia031 ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): <ENTER> Enter passphrase (empty for no passphrase): <ENTER> Enter same passphrase again: <ENTER> Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:Nq2ifaq5IR/6g5VxTwJnETQvKhQ9TctUDx5+0COcCZs sofia@sofia031.infra.rio.gov.br The key's randomart image is: +---[RSA 2048]----+ | .. +O*=+ | | .+o+O==o | | . =E +.o. | | . ..o..o | | . .+ +S . | | .o ..o | | .oo . . | | .+.* .. | | ..B+oo | +----[SHA256]-----+ 2 - Criando arquivo com todos os hosts [root@sofia031 ~]# cd /Gerencia/vert_suporte/tools [root@sofia031 tools]# vim ssh-hosts.txt sofia032.infra.rio.gov.br sofia033.infra.rio.gov.br sofia034.infra.rio.gov.br sofia035.infra.rio.gov.br sofia036.infra.rio.gov.br sofia037.infra.rio.gov.br sofia038.infra.rio.gov.br sofia039.infra.rio.gov.br sofia040.infra.rio.gov.br sofia041.infra.rio.gov.br sofia042.infra.rio.gov.br sofia043.infra.rio.gov.br sofia044.infra.rio.gov.br sofia045.infra.rio.gov.br sofia046.infra.rio.gov.br sofia047.infra.rio.gov.br sofia048.infra.rio.gov.br sofia049.infra.rio.gov.br sofia050.infra.rio.gov.br 3 - Enviar chave publica do usuário host para os hosts cadastrados em ssh-hosts.txt [root@sofia031 tools]# python ssh-copy-id.py Username:sofia Password: [root@sofia031 tools]# ssh sofia@sofia032.infra.rio.gov.br Last login: Fri Mar 5 16:53:20 2021 from 10.70.26.40 [sofia@sofia032 ~]$ exit logout Connection to sofia032.infra.rio.gov.br closed. [root@sofia031 tools]# ssh sofia@sofia033.infra.rio.gov.br Last login: Fri Mar 5 20:01:14 2021 from 10.70.26.40 [sofia@sofia033 ~]$ exit logout Connection to sofia033.infra.rio.gov.br closed. [root@sofia031 tools]# ssh sofia@sofia034.infra.rio.gov.br Last login: Fri Mar 5 21:45:32 2021 from 10.70.26.40 [sofia@sofia034 ~]$ 4 - Conhecendo script python: ssh-copy-id.py #!/usr/bin/python import os from getpass import getpass import paramiko def deploy_key(key, server, username, password): client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(server, username=username, password=password) client.exec_command('mkdir -p ~/.ssh/') client.exec_command('echo "%s" > ~/.ssh/authorized_keys' % key) client.exec_command('chmod 644 ~/.ssh/authorized_keys') client.exec_command('chmod 700 ~/.ssh/') key = open(os.path.expanduser('/root/.ssh/id_rsa.pub')).read() #username = getuser() username = raw_input("Username:") password = getpass() with open("ssh-hosts.txt", "r") as grilled_cheese: linhas = grilled_cheese.readlines() hosts = [] for h in linhas: hosts.append(h.replace("\n", "")) for host in hosts: deploy_key(key, host, username, password) Alterar a Senha de root - Ansible Criar arquivo de inventário [root@sofia031 ~]# cd /Gerencia/vert_suporte/ [root@sofia031 ~]# vim hosts/hadoop.ini [hadoop-all] sofia032.infra.rio.gov.br sofia033.infra.rio.gov.br sofia034.infra.rio.gov.br sofia035.infra.rio.gov.br sofia036.infra.rio.gov.br sofia037.infra.rio.gov.br sofia038.infra.rio.gov.br sofia039.infra.rio.gov.br sofia040.infra.rio.gov.br sofia041.infra.rio.gov.br sofia042.infra.rio.gov.br sofia043.infra.rio.gov.br sofia044.infra.rio.gov.br sofia045.infra.rio.gov.br sofia046.infra.rio.gov.br sofia047.infra.rio.gov.br sofia048.infra.rio.gov.br sofia049.infra.rio.gov.br sofia050.infra.rio.gov.br Conhecendo playbook de alteração de senha de root [root@sofia031 vert_suporte]# vim playbook/altera_senha_root.yml --- - name: Alterar senha de root hosts: hadoop-all user: sofia become: yes vars_prompt: - name: nova_senha_root prompt: "Digite a nova senha de root" private: yes vars: root_password: "{{ nova_senha_root }}" root_password_salt: afEMnMOBZgYNhoqA tasks: - name: Alterando senha de root user: name: root password: "{{nova_senha_root | password_hash(salt=root_password_salt) }}" Executando playbook de alteração de senha de root [root@sofia031 vert_suporte]# ansible-playbook -i hosts/hadoop.ini playbook/altera_senha_root.yml --ask-become-pass BECOME password: <SENHA DO USUÁRIO "sofia"> [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details Digite a nova senha de root: <NOVA SENHA DO USUÁRIO ROOT> PLAY [Alterar senha de root] *************************************************************************** TASK [Gathering Facts] ********************************************************************************* ok: [sofia033.infra.rio.gov.br] ok: [sofia032.infra.rio.gov.br] ok: [sofia034.infra.rio.gov.br] ok: [sofia035.infra.rio.gov.br] ok: [sofia036.infra.rio.gov.br] ok: [sofia038.infra.rio.gov.br] ok: [sofia039.infra.rio.gov.br] ok: [sofia037.infra.rio.gov.br] ok: [sofia040.infra.rio.gov.br] ok: [sofia041.infra.rio.gov.br] ok: [sofia043.infra.rio.gov.br] ok: [sofia044.infra.rio.gov.br] ok: [sofia042.infra.rio.gov.br] ok: [sofia045.infra.rio.gov.br] ok: [sofia046.infra.rio.gov.br] ok: [sofia047.infra.rio.gov.br] ok: [sofia048.infra.rio.gov.br] ok: [sofia049.infra.rio.gov.br] ok: [sofia050.infra.rio.gov.br] TASK [Alterando senha de root] ************************************************************************* ok: [sofia033.infra.rio.gov.br] changed: [sofia032.infra.rio.gov.br] changed: [sofia035.infra.rio.gov.br] changed: [sofia034.infra.rio.gov.br] changed: [sofia036.infra.rio.gov.br] changed: [sofia038.infra.rio.gov.br] changed: [sofia037.infra.rio.gov.br] changed: [sofia039.infra.rio.gov.br] changed: [sofia040.infra.rio.gov.br] changed: [sofia041.infra.rio.gov.br] changed: [sofia043.infra.rio.gov.br] changed: [sofia044.infra.rio.gov.br] changed: [sofia042.infra.rio.gov.br] changed: [sofia045.infra.rio.gov.br] changed: [sofia046.infra.rio.gov.br] changed: [sofia047.infra.rio.gov.br] changed: [sofia048.infra.rio.gov.br] changed: [sofia049.infra.rio.gov.br] changed: [sofia050.infra.rio.gov.br] PLAY RECAP ********************************************************************************************* sofia032.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia033.infra.rio.gov.br : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia034.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia035.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia036.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia037.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia038.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia039.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia040.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia041.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia042.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia043.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia044.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia045.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia046.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia047.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia048.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia049.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 sofia050.infra.rio.gov.br : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 [root@sofia031 vert_suporte]# Testar nova senha [root@sofia031 vert_suporte]# ssh root@sofia034.infra.rio.gov.br root@sofia034.infra.rio.gov.br's password: <NOVA SENHA> Last login: Mon Mar 1 08:27:29 2021 from valhalla.rio.rj.gov.br [root@sofia034 ~]# exit logout Connection to sofia034.infra.rio.gov.br closed. [root@sofia031 vert_suporte]# ssh root@sofia035.infra.rio.gov.br root@sofia035.infra.rio.gov.br's password: <NOVA SENHA> Last login: Mon Mar 1 08:27:30 2021 from valhalla.rio.rj.gov.br [root@sofia035 ~]# exit logout Connection to sofia035.infra.rio.gov.br closed. [root@sofia031 vert_suporte]# Trocar chave de usuário root - Python Executando ssh-copy-id.py nos hosts já configurados anteriormente [root@sofia031 ~]# cd /Gerencia/vert_suporte/tools/ [root@sofia031 tools]# python ssh-copy-id.py Username:root Password: <SENHA NOVA DE ROOT> Testando acesso sem senha de root [root@sofia031 tools]# ssh root@sofia034.infra.rio.gov.br Last login: Fri Mar 5 22:12:04 2021 from 10.70.26.40 [root@sofia034 ~]# exit logout Connection to sofia034.infra.rio.gov.br closed. [root@sofia031 tools]# ssh root@sofia035.infra.rio.gov.br Last login: Fri Mar 5 22:12:18 2021 from 10.70.26.40 [root@sofia035 ~]# exit logout Connection to sofia035.infra.rio.gov.br closed. [root@sofia031 tools]# ssh root@sofia050.infra.rio.gov.br Last login: Mon Mar 1 10:52:08 2021 from valhalla.rio.rj.gov.br