So, I just ran into this again. And it's really really annoying. There are times when I'm configuring things that I need to use the ssh password. It's far simpler just to set the password in the inventory/host_vars file and leave it there, than to have to set it, then remember to remove it once pubkey auth is working.
I also can't think of why you would want to block pubkey authentication. Doesn't ssh automatically fall back to password auth if pubkey fails? Pubkey auth is much more secure, and I would think it should be preferred over password auth in all cases, even if you've specified a password. Or am I missing something? In any case, is there an ansible.cfg option I could set that would stop Ansible from setting the "PubkeyAuthentication=no" flag? On Wednesday, November 5, 2014 at 1:31:22 PM UTC-8, Matt Martz wrote: > > It is not specifically documented other than the code itself: > > > https://github.com/ansible/ansible/blob/d3c28fee8739c93821d4f639b2931f5a3592eb8e/lib/ansible/runner/connection_plugins/ssh.py#L90-L92 > > It was added in: > > > https://github.com/ansible/ansible/commit/d703f920775e8877b1fb9e2ae750a23bcc7e9534 > > Which dates the change back to v0.9 > > My recommendation is to not put ansible_ssh_pass in your inventory. > Instead just specify it as an argument (-k) on the command line the first > time you bootstrap a machine. That is what we do, and it seems to work out > pretty well. > > > On Wed, Nov 5, 2014 at 3:22 PM, David Reagan <jer...@gmail.com > <javascript:>> wrote: > >> Is that documented? I don't see it here: >> http://docs.ansible.com/intro_inventory.html#list-of-behavioral-inventory-parameters >> >> Any explanations on why? It seems counter intuitive to me. I would think >> we'd always want to use pubkey auth, and only use password auth if pubkey >> isn't available. >> >> --David Reagan >> >> On Wed, Nov 5, 2014 at 1:08 PM, Matt Martz <ma...@sivel.net <javascript:> >> > wrote: >> >>> If you have ansible_ssh_pass set, ansible explicitly sets "-o >>> PubkeyAuthentication=no" which disables the use of SSH public key auth. >>> >>> On Wed, Nov 5, 2014 at 2:35 PM, David Reagan <jer...@gmail.com >>> <javascript:>> wrote: >>> >>>> When I'm first setting up a vm, I need to set which user to use and the >>>> ssh and sudo passwords. >>>> >>>> So, my host file looks something like: >>>> >>>> [apache] >>>>> 192.168.77.2 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant >>>>> ansible_sudo_pass=vagrant >>>>> [mysql] >>>>> 192.168.77.3 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant >>>>> ansible_sudo_pass=vagrant >>>>> >>>> >>>> The initial setup includes configuring ssh to use sshkey auth, block >>>> password auth, and adds my ssh pub key to the vagrant user. >>>> >>>> After that first run, my playbooks fail. >>>> >>>> >>>> ansible-playbook -i provisioning/vagrant.ansible.hosts --sudo >>>>> --limit="192.168.77.3" provisioning/play.testowncloud.yml >>>>> >>>>> PLAY [apache] >>>>> ***************************************************************** >>>>> skipping: no hosts matched >>>>> >>>>> PLAY [mysql] >>>>> ****************************************************************** >>>>> >>>>> GATHERING FACTS >>>>> *************************************************************** >>>>> fatal: [192.168.77.3] => SSH encountered an unknown error during the >>>>> connection. We recommend you re-run the command using -vvvv, which will >>>>> enable SSH debugging output to help diagnose the issue >>>>> >>>>> TASK: [aspects_mysql_server | include_vars {{ ansible_os_family >>>>> }}.yml] ******* >>>>> FATAL: no hosts matched or all hosts have already failed -- aborting >>>>> >>>>> >>>>> PLAY RECAP >>>>> ******************************************************************** >>>>> to retry, use: --limit >>>>> @/home/localuser/play.testowncloud.retry >>>>> >>>>> 192.168.77.3 : ok=0 changed=0 unreachable=1 >>>>> failed=0 >>>>> >>>> >>>> >>>> If I remove the *ansible_ssh_pass* variable from my hosts file, it >>>> starts working. >>>> >>>> Why is that? Shouldn't having the *ansible_ssh_pass* set not matter? >>>> >>>> >>>> In case it's useful, my /etc/ssh/sshd_config: >>>> >>>> # See the sshd_config(5) manpage for details on what options you can >>>>> set. >>>>> Protocol 2 >>>>> HostKey /etc/ssh/ssh_host_dsa_key >>>>> HostKey /etc/ssh/ssh_host_ecdsa_key >>>>> UsePrivilegeSeparation yes >>>>> AcceptEnv LANG LC_* >>>>> HostKey /etc/ssh/ssh_host_rsa_key >>>>> Port 22 >>>>> PubkeyAuthentication yes >>>>> ServerKeyBits 768 >>>>> PrintMotd no >>>>> AllowUsers otherusers localuser vagrant >>>>> PrintLastLog yes >>>>> HostbasedAuthentication no >>>>> LoginGraceTime 120 >>>>> SyslogFacility AUTH >>>>> X11DisplayOffset 10 >>>>> IgnoreRhosts yes >>>>> PasswordAuthentication no >>>>> TCPKeepAlive yes >>>>> KeyRegenerationInterval 3600 >>>>> UsePAM yes >>>>> LogLevel INFO >>>>> RhostsRSAAuthentication no >>>>> PermitEmptyPasswords no >>>>> PermitRootLogin no >>>>> Subsystem sftp /usr/lib/openssh/sftp-server >>>>> X11Forwarding yes >>>>> RSAAuthentication yes >>>>> ChallengeResponseAuthentication no >>>>> >>>> >>>> Both desktop and vm are Ubuntu 14.04. Using ansible devel branch >>>> current as of a couple weeks ago. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to ansible-proje...@googlegroups.com <javascript:>. >>>> To post to this group, send email to ansible...@googlegroups.com >>>> <javascript:>. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/7bcee974-eaf4-487d-b97f-a6f897395784%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/ansible-project/7bcee974-eaf4-487d-b97f-a6f897395784%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Matt Martz >>> @sivel >>> sivel.net >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Ansible Project" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ansible-project/AqMAoVRd6EM/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> ansible-proje...@googlegroups.com <javascript:>. >>> To post to this group, send email to ansible...@googlegroups.com >>> <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CAD8N0v_n96QpoJtek%2BTW1Yc%2BNAMCaCoa%3Dd3s0Y8Zp3YyoXSLcA%40mail.gmail.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/CAD8N0v_n96QpoJtek%2BTW1Yc%2BNAMCaCoa%3Dd3s0Y8Zp3YyoXSLcA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com <javascript:>. >> To post to this group, send email to ansible...@googlegroups.com >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CANo%2B_AfTJQWFOeB%2BCUW2XFWW16Yf44uYe-XJSLRxO7K1v09WFw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CANo%2B_AfTJQWFOeB%2BCUW2XFWW16Yf44uYe-XJSLRxO7K1v09WFw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Matt Martz > @sivel > sivel.net > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e43597c5-c21f-437b-bded-1dfec2f9c4e0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
