提问人:01Tech 提问时间:10/25/2023 最后编辑:01Tech 更新时间:11/15/2023 访问量:78
Ansible Playbook lineinfile insertafter 放置在文件末尾,而不是指定的目标位置
Ansible Playbook lineinfile insertafter is placed at end of file rather than designated destination
问:
我的 playbook 中有一个任务,我想添加一个新行,然后将其放在某行之后,但在我运行它后,它会添加到文件的底部,而不是我希望它成为的目标。有机会为什么它一直放在我的文件末尾?sshd_confiq文件中共有 41 行。
- name: Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '17'
state: present
create: true
become: true
become_method: sudo
结果
Protocol 2
ListenAddress 127.0.0.1
ListenAddress 10.224.122.141
SyslogFacility AUTHPRIV
LogLevel VERBOSE
PermitRootLogin no
MaxAuthTries 3
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser nobody
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication yes
[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr
[email protected],[email protected],[email protected],hmac-sha2-256,[email protected],hmac-sha2-512
KexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1
HostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected]
ChallengeResponseAuthentication no
GSSAPIAuthentication no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFIcatION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding no
AllowTCPForwarding yes
AllowAgentForwarding yes
ClientAliveCountMax 0
ClientAliveInterval 900
Banner /etc/issue
Subsystem sftp /usr/libexec/openssh/sftp-server
DenyGroups service
Match User AWS_GDIT_Nessus,AWS_GDIT_Retina,AWS_IP360,nessus_service
PasswordAuthentication yes
Match Group ansible
PasswordAuthentication no
GSSAPIAuthentication no
KerberosAuthentication no
PubkeyAuthentication yes
GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
sh-4.4$
Emros 更正:
- name: Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '^.*MACs=hmac-sha2-256'
state: present
create: true
become: true
become_method: sudo
完整的 Ansible Playbook
---
- name: MAC SSH Vulnerability FIX
hosts: all
tasks:
- name: Backing up /etc/ssh/sshd_config
shell: cp -prf /etc/ssh/sshd_config /etc/ssh/sshd_config.10-19-23
become: true
become_method: sudo
- name: Uncomment the CRYPTO_POLICY setting in /etc/sysconfig/sshd file
replace:
path: /etc/sysconfig/sshd
regexp: '# CRYPTO_POLICY='
replace: 'CRYPTO_POLICY='
become: true
become_method: sudo
- name: Updating ciphers directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Ciphers'
line: '[email protected],[email protected],aes256-ctr,[email protected],aes128-ctr'
become: true
become_method: sudo
- name: Updating MACs directive in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^Macs'
line: '[email protected],[email protected],[email protected],hmac-sha2-256,[email protected],hmac-sha2-512'
become: true
become_method: sudo
- name: Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '^.*MACs=hmac-sha2-256'
state: present
create: true
become: true
become_method: sudo
- name: Updating KexAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
regexp: '^KexAlgorithms'
line: 'KexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha1'
become: true
become_method: sudo
- name: Updating HostKeyAlgorithms in /etc/ssh/sshd_config file
lineinfile:
path: /etc/ssh/sshd_config
line: 'HostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected]'
insertafter: '18'
become: true
become_method: sudo
- name: Restarting sshd service
become: yes
become_user: root
ansible.builtin.service:
name: sshd
state: restarted
答:
1赞
Emros
10/25/2023
#1
我不明白 您似乎想在“17”之后插入一行,但 lineinfile 模块无法根据行号插入。 第 17 行对应于“PasswordAuthentication yes”,因此我建议您将代码更改为以下内容:
- name: "Add GSSAPIKexAlgorithms in /etc/ssh/sshd_config file"
lineinfile:
path: "/etc/ssh/sshd_config"
line: 'GSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-'
insertafter: '^PasswordAuthentication yes'
state: present
become: yes
在此示例中,GSSAPIKexAlgorithms 行将添加到包含“PasswordAuthentication yes”的行之后,该行是所提供文件中的第 17 行。
如果您不想在文件模块中使用行,则可以使用模板模块。
评论
0赞
01Tech
10/25/2023
-Emros 我希望它遵循“Macs=”行
1赞
Emros
10/25/2023
@01Tech添加insertafter:'^.*MACs=hmac-sha2-256',您这里有一些文档-->docs.ansible.com/ansible/latest/collections/ansible/builtin/...
0赞
01Tech
10/25/2023
-Emros 见上文。这是对的吗?
0赞
Emros
10/25/2023
@01Tech是的,我在一些剧本上做到了,只需替换这一行 --> insertafter: '^.*MACs=hmac-sha2-256'
1赞
01Tech
10/25/2023
-Emros 看起来它奏效了!这很奇怪,因为当我第一次尝试这个时,我在使用行号方法之前就这样做了,它仍然在文件的底部:insertafter: '^.*MACs='
评论