I am having a similar problem to Jason's example. Using ansible version 1.8.4 installed via brew on OS X 10.10.2 machine, ansible is only able to access machines that have root ssh login enabled and only if I use the -k option in ansible. Using -k option, ansible logs in as root and works. If I try a different user using the -u option on ansible command line it is ignored. I tried the -c ssh suggestion of Matt, no difference for passwordless attempt, Ansible does ask for another program to be installed if you use the -c ssh -k , I did not go down this path, as entering a password is not my goal. The following playbook works and shows that remote user is root if I use -k option, playbook will fail with similar log to Jason's above with no -k:
--- - hosts: ubuntu14 gather_facts: False tasks: - name: who am i command: whoami register: catout - debug: var=catout.stdout_lines I am able to use this paramiko 1.15.2 python code both as root and nonroot user to connect to this same Ubuntu 14.04 machine from OS X: import paramiko ssh = paramiko.SSHClient() ssh.load_system_host_keys() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect('ubuntu14',username='user', password='password') stdin, stdout, stderr = ssh.exec_command('whoami') stdout.readlines() note: I have to use the set_missing_host_key_policy(paramiko.AutoAddPolicy()) to get the code to run, solving a 'not found in known_hosts' error that seems to be known about paramiko for some time. I am a total n00b to ansible. -vvvv output for the following execution: ansible-playbook playbook.yml -vvvv <ubuntu14> <ubuntu14> <ubuntu14> ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no User=root ControlPath=/Users/dproffer/.ansible/cp/ansible-ssh-%h-%p-%r PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey ControlMaster=auto Port=22 ControlPersist=60s fatal: [ubuntu14] => SSH encountered an unknown error. The output was: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading configuration data /Users/dproffer/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: /etc/ssh_config line 53: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket "/Users/dproffer/.ansible/cp/ansible-ssh-ubuntu14-22-root" does not exist debug2: ssh_connect: needpriv 0 debug1: Connecting to ubuntu14 [192.168.1.150] port 22. debug2: fd 3 setting O_NONBLOCK debug1: fd 3 clearing O_NONBLOCK debug1: Connection established. debug3: timeout: 10000 ms remain after connect debug3: Incorrect RSA1 identifier debug3: Could not load "/Users/dproffer/.ssh/id_rsa" as a RSA1 public key debug1: identity file /Users/dproffer/.ssh/id_rsa type 1 debug1: identity file /Users/dproffer/.ssh/id_rsa-cert type -1 debug1: identity file /Users/dproffer/.ssh/id_dsa type -1 debug1: identity file /Users/dproffer/.ssh/id_dsa-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-8 debug1: match: OpenSSH_6.6.1p1 Ubuntu-8 pat OpenSSH* debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "ubuntu14" from file "/Users/dproffer/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/dproffer/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: z...@openssh.com,zlib,none debug2: kex_parse_kexinit: z...@openssh.com,zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5-...@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com z...@openssh.com debug2: mac_setup: found hmac-md5-...@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com z...@openssh.com debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 132/256 debug2: bits set: 507/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx debug3: load_hostkeys: loading entries for host "ubuntu14" from file "/Users/dproffer/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/dproffer/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "192.168.1.150" from file "/Users/dproffer/.ssh/known_hosts" debug3: load_hostkeys: found key type RSA in file /Users/dproffer/.ssh/known_hosts:2 debug3: load_hostkeys: loaded 1 keys debug1: Host 'ubuntu14' is known and matches the RSA host key. debug1: Found key in /Users/dproffer/.ssh/known_hosts:2 debug2: bits set: 491/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/dproffer/.ssh/id_rsa (0x7ffc59c16020), debug2: key: /Users/dproffer/.ssh/id_dsa (0x0), debug1: Authentications that can continue: publickey,password debug3: start over, passed a different list publickey,password debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey debug3: authmethod_lookup publickey debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /Users/dproffer/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Authentications that can continue: publickey,password debug1: Trying private key: /Users/dproffer/.ssh/id_dsa debug3: no such identity: /Users/dproffer/.ssh/id_dsa: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. Permission denied (publickey,password). ------- Thanks! On Friday, February 6, 2015 at 3:33:32 PM UTC-8, jason cafarelli wrote: > > Issue: > PAsswordless ssh works; ansible does not; comes back with AUTH failed. > Almost looks like my /root/.ssh/config is not being read by ansible? > > Workarounds: > setting key manually in /etc/ansible/ansible.cfg or using flag to specify > key in command line both work > > Kickstart/cobbler install with pre shared public key that is stored in > rsa_compute_node and rsa_compute_node.pub on the mgmt node. > > ie: > [root@mgmt2 ssh]# ls /root/.ssh/ > authorized_keys id_rsa id_rsa_compute.pub id_rsa_mgmt.pub > known_hosts > config id_rsa_compute id_rsa_mgmt id_rsa.pub > [root@mgmt2 ssh]# > > > Config file setup for certian hosts and using my custom ID file: > > [root@mgmt2 ssh]# cat /root/.ssh/config > Host 192.168.* > StrictHostKeyChecking=no > IdentityFile ~/.ssh/id_rsa_compute > > ssh works without password > [root@mgmt2 ~]# ssh 192.168.100.147 > [root@u-eth ~]# > > Ansible fails: > [root@mgmt2 ssh]# ansible compute -m ping > [WARNING]: The version of gmp you have installed has a known issue > regarding > timing vulnerabilities when used with pycrypto. If possible, you should > update > it (i.e. yum update gmp). > > 192.168.100.103 | FAILED => FAILED: Authentication failed. > 192.168.100.105 | FAILED => FAILED: Authentication failed. > 192.168.100.101 | FAILED => FAILED: Authentication failed. > 192.168.100.104 | FAILED => FAILED: Authentication failed. > 192.168.100.102 | FAILED => FAILED: Authentication failed. > 192.168.100.107 | FAILED => FAILED: Authentication failed. > 192.168.100.110 | FAILED => FAILED: Authentication failed. > 192.168.100.106 | FAILED => FAILED: Authentication failed. > 192.168.100.108 | FAILED => FAILED: Authentication failed. > 192.168.100.109 | FAILED => FAILED: Authentication failed. > 192.168.100.114 | FAILED => FAILED: Authentication failed. > 192.168.100.113 | FAILED => FAILED: Authentication failed. > 192.168.100.111 | FAILED => FAILED: Authentication failed. > 192.168.100.112 | FAILED => FAILED: Authentication failed. > 192.168.100.115 | FAILED => FAILED: Authentication failed. > 192.168.100.120 | FAILED => FAILED: Authentication failed. > 192.168.100.119 | FAILED => FAILED: Authentication failed. > 192.168.100.117 | FAILED => FAILED: Authentication failed. > 192.168.100.116 | FAILED => FAILED: Authentication failed. > 192.168.100.118 | FAILED => FAILED: Authentication failed. > 192.168.100.121 | FAILED => FAILED: Authentication failed. > 192.168.100.123 | FAILED => FAILED: Authentication failed. > 192.168.100.125 | FAILED => FAILED: Authentication failed. > 192.168.100.122 | FAILED => FAILED: Authentication failed. > 192.168.100.124 | FAILED => FAILED: Authentication failed. > 192.168.100.126 | FAILED => FAILED: Authentication failed. > 192.168.100.129 | FAILED => FAILED: Authentication failed. > 192.168.100.128 | FAILED => FAILED: Authentication failed. > 192.168.100.130 | FAILED => FAILED: Authentication failed. > 192.168.100.127 | FAILED => FAILED: Authentication failed. > 192.168.100.134 | FAILED => FAILED: Authentication failed. > 192.168.100.131 | FAILED => FAILED: Authentication failed. > 192.168.100.132 | FAILED => FAILED: Authentication failed. > 192.168.100.135 | FAILED => FAILED: Authentication failed. > 192.168.100.133 | FAILED => FAILED: Authentication failed. > 192.168.100.137 | FAILED => FAILED: Authentication failed. > 192.168.100.139 | FAILED => FAILED: Authentication failed. > 192.168.100.138 | FAILED => FAILED: Authentication failed. > 192.168.100.140 | FAILED => FAILED: Authentication failed. > 192.168.100.136 | FAILED => FAILED: Authentication failed. > 192.168.100.142 | FAILED => FAILED: Authentication failed. > 192.168.100.143 | FAILED => FAILED: Authentication failed. > 192.168.100.144 | FAILED => FAILED: Authentication failed. > 192.168.100.145 | FAILED => FAILED: Authentication failed. > 192.168.100.141 | FAILED => FAILED: Authentication failed. > 192.168.100.146 | FAILED => FAILED: Authentication failed. > 192.168.100.147 | FAILED => FAILED: Authentication failed. > 192.168.100.148 | success >> { > "changed": false, > "ping": "pong" > } > > The last node; i ran ssh-copy-id as a sanity test. > > Version: > [root@mgmt2 ~]# rpm -qa | grep ans > dejavu-sans-fonts-2.30-2.el6.noarch > ansible-1.8.1-1.el6.noarch > [root@mgmt2 ~]# > > > [root@--eth .ssh]# service sshd stop; /usr/sbin/sshd -p 22 -D -d -e > debug1: sshd version OpenSSH_5.3p1 > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-p' > debug1: rexec_argv[2]='22' > debug1: rexec_argv[3]='-D' > debug1: rexec_argv[4]='-d' > debug1: rexec_argv[5]='-e' > Set /proc/self/oom_score_adj from 0 to -1000 > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug1: sshd version OpenSSH_5.3p1 > debug1: read PEM private key done: type RSA > debug1: private host key: #0 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #1 type 2 DSA > debug1: inetd sockets after dupping: 3, 3 > Connection from 192.168.1.2 port 52557 > debug1: Client protocol version 2.0; client software version paramiko_1.7.5 > debug1: no match: paramiko_1.7.5 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.3 > debug1: permanently_set_uid: 74/74 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-ctr hmac-sha1 none > debug1: kex: server->client aes128-ctr hmac-sha1 none > debug1: expecting SSH2_MSG_KEXDH_INIT > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user root service ssh-connection method > publickey > debug1: attempt 0 failures 0 > debug1: PAM: initializing for "root" > debug1: PAM: setting PAM_RHOST to "192.168.1.2" > debug1: PAM: setting PAM_TTY to "ssh" > debug1: temporarily_use_uid: 0/0 (e=0/0) > debug1: trying public key file /root/.ssh/authorized_keys > debug1: fd 4 clearing O_NONBLOCK > debug1: restore_uid: 0/0 > debug1: temporarily_use_uid: 0/0 (e=0/0) > debug1: trying public key file /root/.ssh/authorized_keys2 > debug1: fd 4 clearing O_NONBLOCK > debug1: restore_uid: 0/0 > Failed publickey for root from 192.168.1.2 port 52557 ssh2 > Connection closed by 192.168.1.2 > debug1: do_cleanup > debug1: do_cleanup > debug1: PAM: cleanup > [root@urika-xa46-eth .ssh]# rm /root/.ssh/authorized_keys2 > rm: remove regular file `/root/.ssh/authorized_keys2'? y > [root@--eth .ssh]# > > LEt me know if you need anymore info, > > Thanks! > > -Jason > > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bf370d29-8cba-4cd6-a527-437ac99b7aab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.