起因
线上环境是在内网,登陆线上环境需要使用 VPN + 堡垒机 登陆,但是我日常登陆线上环境都是 VPN + 堡垒机 + Socks5常驻代理,在shell端只需要保存会话,会话使用socks5代理即可无缝ssh到线上服务器。
今天来发现无法登陆服务器,但是ssh *** -f -N ****@**** 建立后台socks的方式并不会把密码过期的问题暴露出来,经过多次尝试,手动登陆服务器才发现用于登陆服务器的密码已过期。
手动更新密码后问题恢复。
解决问题
由于这一批服务器都存在密码过期的问题,所以打算尝试使用 Ansible 来批量登陆服务器更新密码。
https://github.com/ansible/ansible/issues/1619 受到国外大神的解答,尝试进行处理。
使用 Ansible expect 模块来进行处理。
python 需要安装 pexpect 包。
pip install pexpect
正常手动操作的console返回信息如下:
You are required to change your password immediately (password aged)
Last login: Thu Aug 13 11:23:46 2020 from 1*.*.*7
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user sysadmin.
Changing password for sysadmin.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
playbook task 内容:
- name: Set password if expired
delegate_to: 127.0.0.1
become: no
expect:
command: ssh {{ ansible_ssh_common_args }} {{ ansible_user }}@{{ inventory_hostname }}
timeout: 10
responses:
"password:":
# we couldn't keep the same old password
- "{{ ansible_ssh_pass_old }}"
- "{{ ansible_ssh_pass }}"
- "{{ ansible_ssh_pass }}"
# if succesfully login then quit
"\~\]\$": exit
register: status
changed_when: "'authentication tokens updated successfully' in status.stdout"
按照大神的解答,进行尝试过后,发现行不通,提示如下:
You are required to change your password immediately (password aged)
Last login: Thu Aug 13 11:23:46 2020 from 1*.*.*7
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user sysadmin.
Changing password for sysadmin.
(current) UNIX password:
passwd: Authentication token manipulation error
认真理解了一番,发现,reponses里面少了一次键入密码的机会,我的环境是通过密码认证登录的 ,如果是使用秘钥登录,即ansible_ssh_common_args 应配置为秘钥方式,更正后如下:
- name: Set password if expired
delegate_to: 127.0.0.1
become: no
expect:
command: ssh {{ ansible_ssh_common_args }} {{ ansible_user }}@{{ inventory_hostname }}
timeout: 10
responses:
"(?i)password:":
# we couldn't keep the same old password
- "{{ ansible_ssh_pass_old }}"
- "{{ ansible_ssh_pass_old }}"
- "{{ ansible_ssh_pass }}"
- "{{ ansible_ssh_pass }}"
# if succesfully login then quit
"\~\]\$": exit
register: status
changed_when: "'authentication tokens updated successfully' in status.stdout"
解释:
第一次键入 ansible_ssh_pass_old 为 command ssh 的登录密码。
第二次键入 ansible_ssh_pass_old 为 提示过期输入当前密码。
第三次键入 ansible_ssh_pass 为 新密码。
第四次键入 ansible_ssh_pass 为 确认新密码。
结果测试
ansible-playbook 功能测试结果:
STDOUT:
Warning: Permanently added 'm******o' (ECDSA) to the list of known hosts.
symin@m******o's password:
You are required to change your password immediately (password aged)
Last login: Fri Jul 31 10:46:38 2020 from 1*.*.*.*7
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user sysadmin.
Changing password for sysadmin.
(current) UNIX password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to m*****o closed.
大功告成。