I am fairly new working with ansible and am operating some playbooks that were built by someone else who is gone. The current playbooks will set up a new server and work fine. It installs several standard packages and will change to all SSH logins , no root login. The first time I will put the ansible_ssh_user=root ansible_ssh_pass= xxxxx on the inventory line. After that root access no longer works.
the problem is when I need to run a playbook to update the server. I get a failure that looks like this :
ipaddress> ESTABLISH CONNECTION FOR USER: myusername
<ipaddress> REMOTE_MODULE setup
<ipaddress> EXEC sshpass -d7 ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/home/nnnn/.ansible/cp/ansible-ssh-%h-%p-%r” -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PubkeyAuthentication=no -o ConnectTimeout=10 ipaddress /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && echo $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580’
fatal: [server] => SSH Error: Permission denied (publickey).
while connecting to ipaddress:22
I then discovered a small group of servers that use a VPN and back end IP , and the same script ran OK -
<ipaddress> ESTABLISH CONNECTION FOR USER: myusername
<ipaddress> REMOTE_MODULE setup
<ipaddress> EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/home/myusername/.ansible/cp/ansible-ssh-%h-%p-%r” -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 ipaddress /bin/sh -c ‘mkdir -p $HOME/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602 && echo $HOME/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602’
<ipaddress> PUT /tmp/tmpzk8i1E TO /home/myusername/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602/setup
<ipaddress> EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath=“/home/myusername/.ansible/cp/ansible-ssh-%h-%p-%r” -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 ipaddress /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=jreeatvlyrwzcjqqsmbdciudhpgwnrxp] password: " -u root /bin/sh -c '”’“‘echo BECOME-SUCCESS-jreeatvlyrwzcjqqsmbdciudhpgwnrxp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/myusername/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602/setup; rm -rf /home/myusername/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602/ >/dev/null 2>&1’”‘"’’
ok: [servername]
I am hoping there is a simple setting or other change that will allow these playbooks to run, thanks for the help. I put asterisks around some things for privacy / security myusername , etc.
Hi there,
I am fairly new working with ansible and am operating some playbooks that
were built by someone else who is gone. The current playbooks will set up a
new server and work fine. It installs several standard packages and will
change to all SSH logins , no root login. The first time I will put the
ansible_ssh_user=root ansible_ssh_pass= xxxxx on the inventory line.
Keeping that in a ansible-vault encrypted file is the better option,
but first things first.
After that root access no longer works.
I guess your playbook changes the sshd's settings, right?
the problem is when I need to run a playbook to update the server.
The same playbook run again? Or another playbook? Could you share the
parts of the playbook that show the errors?
I get a
failure that looks like this :
*ipaddress*> ESTABLISH CONNECTION FOR USER: *myusername*
<*ipaddress*> REMOTE_MODULE setup
<*ipaddress*> EXEC sshpass -d7 ssh -C -tt -v -o ControlMaster=auto -o
ControlPersist=60s -o
ControlPath="/home/nnnn/.ansible/cp/ansible-ssh-%h-%p-%r" -o
StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o
PubkeyAuthentication=no -o ConnectTimeout=10 *ipaddress* /bin/sh -c 'mkdir
-p $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && chmod
a+rx $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && echo
$HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580'
fatal: [server] => SSH Error: Permission denied (publickey).
while connecting to *ipaddress*:22
Can you login as the destination user if you do it manually? Do you
have the right ssh keys on your machine?
Johannes
####The same playbook run again? Or another playbook? Could you share the
parts of the playbook that show the errors?
different playbook - this is one to just update the hosts file,
ansible-playbook -vvv update_hosts.yml -i inventory/inventory
file update_hosts.yml
[ maybe snip the fullquote the next time, makes mails very long...]
yes, My key works on the servers after they are configured
My guess: Connecting as root the first time works, as you tell ansible
with which user it should connect. After that, ansible is missing this
info. And I guess the target username is not the one you have on your
controller.
What happens if you include the following into your update.yml:
vars:
ansible_user: foobar
And replace foobar with the user on the remote machine.
If that does not solve it, then maybe the VPN is the reason, and ssh
login is only allowed on some IPs or from some IPs. That would be a
task in the first ansible playbook, maybe have a look.
Johannes
What happens if you include the following into your update.yml:
vars:
ansible_user: foobar
that seems to have done the trick, thanks for the help
I guess when you tried to log into the machine manually, you specified
a user:
ssh user@machine
or
ssh user@ip-address
So your ssh-client knew as which user to connect. Ansible did not know
that. And you told it only in your first step with the
ansible_user=root part.
You might want to read up on ssh connections.
https://docs.ansible.com/ansible/intro_getting_started.html#remote-connection-information
Johannes