[ansible-project] Understanding relationship between -K & become vs ansible_ssh_user & ansible_ssh_pass
I am creating a simple playbook to add the current user's public key onto
the remote host. My playbook fails with error "Failed to connect to the
host via ssh: Permission denied".
I am running the playbook as non-root, and I can succesfully ssh to the
remote host as root. I run the following script with -K and enter the
become password when prompted.
---
- name: Simple test 1
hosts: all
gather_facts: no
vars:
username : "root"
pubkey : "{{ lookup('file','{{ ansible_env.HOME }}/.ssh/id_rsa.pub')
}}"
tasks:
- name: Confirm this user has a public key file
delegate_to: 127.0.0.1
stat:
path: '~/.ssh/id_rsa.pub'
register: stat_result
- name: Simple test 2
hosts: all
become: true
become_user: root
tasks:
- name: Abort if this user has no public key file
fail: msg="You are missing your public key file"
when: not stat_result.stat.exists
- name: Add public key for this user to remote host
authorized_key: >
user = {{ username }}
key = {{ pubkey }}
state = present
- name: Print all available facts
ansible.builtin.debug:
var: ansible_facts
The output from running task 3 with -vvv and -K is below:
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s
-o KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=10 -o
ControlPath=/home/admin/.ansible/cp/bf945a50fe somehost.com '/bin/sh -c
'"'"'echo ~ && sleep 0'"'"''
(255, '', 'Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password).\r\n')
fatal: [somehost.com]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password).",
"unreachable": true
}
Notice authorized_key seems to run as user None (despite telling task 3 to
become root). Only by setting ansible_ssh_user and ansible_ssh_pass in the
ansible hosts file can I get authorized_key to work. Why?
I'm confused!
1. Shouldn't the -K parameter cause ansible to use the password I enter for
ssh authentication?
2. Shouldn't the become: true cause the authorize_key to login to the
remote host as root?
3. Can someone explain the relationship between 'become' & '-K' and
ansible_ssh_user & ansible_ssh_pass (set in the hosts file)
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/35bb9ca6-2dc2-4c72-8635-b1ca667bfdb7n%40googlegroups.com.
[ansible-project] Understanding relationship between -K & become vs ansible_ssh_user & ansible_ssh_pass
I am creating a simple playbook to add the current user's public key onto
the remote host. My playbook fails with error "Failed to connect to the
host via ssh: Permission denied".
I am running the playbook as non-root, and I can successfully ssh to the
remote host as root. I run the following script with -K and enter the
become password when prompted.
--- - name: Simple test 1 hosts: all gather_facts: no vars: username :
"root" pubkey : "{{ lookup('file','{{ ansible_env.HOME }}/.ssh/id_rsa.pub')
}}" tasks: - name: Confirm this user has a public key file delegate_to:
127.0.0.1 stat: path: '~/.ssh/id_rsa.pub' register: stat_result - name:
Simple test 2 hosts: all become: true become_user: root tasks: - name:
Abort if this user has no public key file fail: msg="You are missing your
public key file" when: not stat_result.stat.exists - name: Add public key
for this user to remote host authorized_key: > user = {{ username }} key =
{{ pubkey }} state = present - name: Print all available facts
ansible.builtin.debug: var: ansible_facts
The output from running task 3 with -vvv and -K is below:
ESTABLISH SSH CONNECTION FOR USER: None SSH:
EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o
KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o ConnectTimeout=10 -o
ControlPath=/home/admin/.ansible/cp/bf945a50fe somehost.com '/bin/sh -c
'"'"'echo ~ && sleep 0'"'"'' (255, '', 'Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password).\r\n') fatal:
[somehost.com]: UNREACHABLE! => { "changed": false, "msg": "Failed to
connect to the host via ssh: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true }
Notice authorized_key seems to run as user None (despite telling task 3 to
become root). Only by setting ansible_ssh_user and ansible_ssh_pass in the
ansible hosts file can I get authorized_key to work. Why?
- Shouldn't the -K parameter cause ansible to use the password I enter
for ssh authentication?
- Shouldn't the become: true cause the authorize_key to login to the
remote host as root?
My playbook also succeeds WITHOUT the -K parameter, so I must be
misunderstanding how BECOME works. Can someone explain the relationship
between 'become' & '-K' and ansible_ssh_user & ansible_ssh_pass (set in the
hosts file)
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/798b23f3-57b2-4ffe-bec9-3f3f42a27e63n%40googlegroups.com.
