====== Criando usuário com acesso SSH Key ======
===== SSH Key =====
$ ssh-keygen -t ed25519 -f suporte
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in suporte
Your public key has been saved in suporte.pub
The key fingerprint is:
SHA256:lBD+Y/I+Y+fi/vCBK7l3HckS4jxFXRsF7qK/2r2t7vw vagrant@automation
The key's randomart image is:
+--[ED25519 256]--+
| o. . .+o.|
| . . .. .. o |
| . o. o |
| o. o . |
| .oSo o... |
| ++o..+. |
| .+.oo . |
| o.*+o+.o . |
| .B=O=.++B+E|
+----[SHA256]-----+
===== Playbook =====
$ vim user-ssh-key.yaml
---
- name: Manage user accounts
hosts: all
tasks:
- name: Add user
user:
name: suporte
comment: "Suporte User"
shell: /bin/bash
state: present
- name: Set authorized SSH key
authorized_key:
user: suporte
state: present
key: "{{ lookup('file', './suporte.pub') }}"
- name: Add SUDO
lineinfile:
path: /etc/sudoers.d/suporte
line: "suporte ALL=(ALL) NOPASSWD:ALL"
state: present
mode: 0440
create: yes
validate: '/usr/sbin/visudo -cf %s'
$ sudo ansible-playbook --syntax-check user-ssh-key.yaml
playbook: user-ssh-key.yaml
$ sudo ansible-playbook user-ssh-key.yaml
PLAY [Manage user accounts] ******************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************
ok: [10.240.100.30]
ok: [10.240.100.20]
ok: [10.240.100.10]
TASK [Add user] ******************************************************************************************************************************************************
changed: [10.240.100.10]
changed: [10.240.100.30]
changed: [10.240.100.20]
TASK [Set authorized SSH key] ****************************************************************************************************************************************
changed: [10.240.100.30]
changed: [10.240.100.10]
changed: [10.240.100.20]
TASK [Add SUDO] ******************************************************************************************************************************************************
changed: [10.240.100.10]
changed: [10.240.100.30]
changed: [10.240.100.20]
PLAY RECAP ***********************************************************************************************************************************************************
10.240.100.10 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.240.100.20 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.240.100.30 : ok=4 changed=3 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
$ ssh -i suporte suporte@10.240.100.30
Linux deb-vm-03 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ sudo -l
Entradas de Defaults correspondentes a suporte em deb-vm-03:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Usuário suporte pode executar os seguintes comandos em deb-vm-03:
(ALL) NOPASSWD: ALL
===== Removendo o usuário =====
$ cat user-remove.yaml
---
- name: Remove user and files
hosts: all
tasks:
- name: Remove user
user:
name: suporte
state: absent
remove: yes
force: true
- name: Remove SUDO file
file:
path: /etc/sudoers.d/suporte
state: absent
$ sudo ansible-playbook user-remove.yaml
PLAY [Remove user and files] *****************************************************************************************************************************************
TASK [Gathering Facts] ***********************************************************************************************************************************************
ok: [10.240.100.30]
ok: [10.240.100.20]
ok: [10.240.100.10]
TASK [Remove user] ***************************************************************************************************************************************************
ok: [10.240.100.30]
ok: [10.240.100.10]
ok: [10.240.100.20]
TASK [Remove SUDO file] **********************************************************************************************************************************************
changed: [10.240.100.30]
changed: [10.240.100.10]
changed: [10.240.100.20]
PLAY RECAP ***********************************************************************************************************************************************************
10.240.100.10 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.240.100.20 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.240.100.30 : ok=3 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0