You can control what arguments Ansible uses to invoke the ssh binary with. See ssh_extra_args [1] for ways to set extra arguments. You can run Ansible with -vvv and it will show you the full ssh command being run on each connection.
[1] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote: > Pierre- > That was the missing bit. This is definitely an issue in Ansible that > probably needs to be addressed. > > On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <melvin...@gmail.com> > wrote: > >> Hi, >> >> I haven't tested this myself, but this article >> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> >> mentions that you'd need to set ansible_become_pass var somewhere with a >> potential dummy value. Give it a try ! >> >> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : >> >>> So I have been doing some rsa-key based to factor authentication work >>> recently, but have hit a stumbling block with Ansible. Has anyone ever done >>> key based privilege escalation? Apparently just use the ssh connection >>> option ForwardAgent=true is not quite the same as "ssh -A" when doing >>> escalation. >>> >>> For those not familiar with rsa key privilege escalation via sudo this >>> is a good link: >>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >>> >>> Before I get advice to just use passwordless sudo, that is something I >>> am looking for a way to avoid as it generates a massive amount of paperwork >>> in the federal FISMA high and med spaces that require MFA and expected MFA >>> elevated privilege access. >>> >>> Manually I am very successful with the RSA key >>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >>> 1 device has a firmware upgrade available. >>> Run `fwupdmgr get-upgrades` for more information. >>> Activate the web console with: systemctl enable --now cockpit.socket >>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >>> [user@kube ~]$ sudo whoami >>> root >>> [user@kube ~]$ exit >>> logout >>> >>> However Ansible is not making the same connections: >>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >>> PLAY [all] >>> *********************************************************************************************************************************************************** >>> TASK [Gathering Facts] >>> ************************************************************************************************************************************************ >>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >>> PLAY RECAP >>> ************************************************************************************************************************************************************ >>> 10.0.0.18 : ok=0 changed=0 unreachable=0 >>> failed=1 skipped=0 rescued=0 ignored=0 >>> >>> I have tried several options, and assume it is going to end up being >>> something in the SSH connection options to get this working beyond using >>> "ForwardAgent=Yes" >>> -- >>> Evan Hisey >>> ehi...@gmail.com >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ansible-proje...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com.
