Hi All, I've been battling with this issue all day. I wrote a playbook which spins up nodes on ec2 using ansible and then bootstraps the box by creating the "ansible" user on the remote machine, then it pushes the ansible user's rsa.pub key to the box and finally overwrites the '90-cloud-init-users' file which allows for provisioning of sudo permissions without password. I've been having the error below pop up after the provisioning is complete and the playbook moves on to installing some packages with git. It was working just fine with the default user setup by AWS, but after I migrated to the ansible username it doesn't. After this provisioning fails, I am immediately able to login into the box using the username 'ansible' without a password so it seems that the public key is being sent correctly.
fatal: [x.x.x.x] => SSH encountered an unknown error. The output was: > > OpenSSH_6.4, OpenSSL 1.0.1e-fips 11 Feb 2013 > > debug1: Reading configuration data /home/ansible/.ssh/config > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug2: ssh_connect: needpriv 0 > > debug1: Connecting to x.x.x.x [x.x.x.x] port 22. > > debug2: fd 3 setting O_NONBLOCK > > debug1: fd 3 clearing O_NONBLOCK > > debug1: Connection established. > > debug3: timeout: 14998 ms remain after connect > > debug3: Incorrect RSA1 identifier > > debug3: Could not load "xxx.pem" as a RSA1 public key > > debug1: identity file xxx.pem type -1 > > debug1: identity file xxxx.pem-cert type -1 > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_6.4 > > debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4 > > debug1: match: OpenSSH_6.4 pat OpenSSH* > > debug2: fd 3 setting O_NONBLOCK > > debug3: load_hostkeys: loading entries for host "x.x.x.x" from file >> "/home/ansible/.ssh/known_hosts" > > debug3: load_hostkeys: found key type ECDSA in file >> /home/ansible/.ssh/known_hosts:17 > > debug3: load_hostkeys: loaded 1 keys > > debug3: order_hostkeyalgs: prefer hostkeyalgs: >> ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: >> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: >> ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa,ssh-dss > > debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > > debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > > debug2: kex_parse_kexinit: >> hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: >> hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: z...@openssh.com,zlib,none > > debug2: kex_parse_kexinit: z...@openssh.com,zlib,none > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: >> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256 > > debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > > debug2: kex_parse_kexinit: >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se > > debug2: kex_parse_kexinit: >> hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: >> hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 > > debug2: kex_parse_kexinit: none,z...@openssh.com > > debug2: kex_parse_kexinit: none,z...@openssh.com > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_setup: found hmac-md5-...@openssh.com > > debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com >> z...@openssh.com > > debug2: mac_setup: found hmac-md5-...@openssh.com > > debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com >> z...@openssh.com > > debug1: sending SSH2_MSG_KEX_ECDH_INIT > > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > > debug1: Server host key: ECDSA >> 0f:59:bd:0b:c7:2d:93:4a:8e:4d:33:8e:22:50:16:36 > > debug3: load_hostkeys: loading entries for host "10.0.1.61" from file >> "/home/ansible/.ssh/known_hosts" > > debug3: load_hostkeys: found key type ECDSA in file >> /home/ansible/.ssh/known_hosts:17 > > debug3: load_hostkeys: loaded 1 keys > > debug1: Host 'x.x.x.x' is known and matches the ECDSA host key. > > debug1: Found key in /home/ansible/.ssh/known_hosts:17 > > debug1: ssh_ecdsa_verify: signature correct > > debug2: kex_derive_keys > > debug2: set_newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: expecting SSH2_MSG_NEWKEYS > > debug2: set_newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: Roaming not allowed by server > > debug1: SSH2_MSG_SERVICE_REQUEST sent > > debug2: service_accept: ssh-userauth > > debug1: SSH2_MSG_SERVICE_ACCEPT received > > debug2: key: ansible.pem ((nil)), explicit > > debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic > > debug3: start over, passed a different list >> publickey,gssapi-keyex,gssapi-with-mic > > debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey > > debug3: authmethod_lookup gssapi-with-mic > > debug3: remaining preferred: gssapi-keyex,hostbased,publickey > > debug3: authmethod_lookup gssapi-keyex > > debug3: remaining preferred: hostbased,publickey > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: ,publickey > > debug3: authmethod_is_enabled publickey > > debug1: Next authentication method: publickey > > debug1: Trying private key: ansible.pem > > debug1: read PEM private key done: type RSA > > debug3: sign_and_send_pubkey: RSA >> 3c:0e:99:49:fb:eb:b9:a7:f3:c2:d2:c5:e6:9a:a6:b7 > > debug2: we sent a publickey packet, wait for reply > > debug1: Authentications that can continue: >> publickey,gssapi-keyex,gssapi-with-mic > > debug2: we did not send a packet, disable method > > debug1: No more authentication methods to try. > > Permission denied (publickey,gssapi-keyex,gssapi-with-mic). > > >> FATAL: all hosts have already failed -- aborting > > > Thanks! -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bc0571d3-2892-4609-bac0-7cf4efafec9d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
