Ansible and hardcoded OpenSSH options

Archives Ansible Project
1

Hi,

We’re using a proprietary SSH (ie. not OpenSSH…sigh…not my choice) and have run into an issue where there seems to be hardcoded OpenSSH options in Ansible?

The SSH we’re using has differing naming for some of the SSH options.

Looking at the command output shows several SSH options that aren’t in the ansible.cfg file and we can’t seem to find where the OpenSSH options are coming from?

Does Ansible have a dependency on OpenSSH? Is there a workaround for the hard coded options?

For example:

The /etc/ansible/ansible.cfg ssh_args reads:

[ssh_connection]
ssh_args = -o ConnectionReuse=yes -o AllowedAuthentications=keyboard-interactive,gssapi-with-mic,publickey,password=yes

But when we run a simple test of the connectivity we get a the error:

(1, b’', b"Invalid option: ‘KbdInteractiveAuthentication=no’\r\n")
<ea-krishna.admin.virginia.edu> Failed to connect to the host via ssh: Invalid option: ‘KbdInteractiveAuthentication=no’

Output from the command “ansible -vvv all -m shell -a ‘uptime -p’” shows a number of additional options that are incompatible with our proprietary SSH :

SSH: EXEC ssh -o ConnectionReuse=yes -o AllowedAuthentications=keyboard-interactive,gssapi-with-mic,publickey,password=yes -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ‘User=“ansible”’ -o ConnectTimeout=10

Many Thanks!

Complete test output:

Output for a simple command showing a connection failure…

ansible -vvv all -m shell -a ‘uptime -p’
ansible 2.9.25
config file = /etc/ansible/ansible.cfg
configured module search path = [‘/home/ansible/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]
ansible python module location = /opt/freeware/lib/python3.7/site-packages/ansible
executable location = /opt/freeware/bin/ansible
python version = 3.7.12 (default, Dec 15 2021, 03:25:47) [GCC 8.3.0]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Skipping callback ‘actionable’, as we already have a stdout callback.
Skipping callback ‘counter_enabled’, as we already have a stdout callback.
Skipping callback ‘debug’, as we already have a stdout callback.
Skipping callback ‘dense’, as we already have a stdout callback.
Skipping callback ‘dense’, as we already have a stdout callback.
Skipping callback ‘full_skip’, as we already have a stdout callback.
Skipping callback ‘json’, as we already have a stdout callback.
Skipping callback ‘minimal’, as we already have a stdout callback.
Skipping callback ‘null’, as we already have a stdout callback.
Skipping callback ‘oneline’, as we already have a stdout callback.
Skipping callback ‘selective’, as we already have a stdout callback.
Skipping callback ‘skippy’, as we already have a stdout callback.
Skipping callback ‘stderr’, as we already have a stdout callback.
Skipping callback ‘unixy’, as we already have a stdout callback.
Skipping callback ‘yaml’, as we already have a stdout callback.
META: ran handlers
ESTABLISH SSH CONNECTION FOR USER: ansible
SSH: EXEC ssh -o ConnectionReuse=yes -o AllowedAuthentications=keyboard-interactive,gssapi-with-mic,publickey,password=yes -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ‘User=“ansible”’ -o ConnectTimeout=10 SERVERNAME ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp”&& mkdir “echo $HOME/.ansible/tmp/ansible-tmp-1676913038.373544-29753714-228961199446076” && echo ansible-tmp-1676913038.373544-29753714-228961199446076=“echo $HOME/.ansible/tmp/ansible-tmp-1676913038.373544-29753714-228961199446076” ) && sleep 0’“'”‘’
(1, b’', b"Invalid option: ‘KbdInteractiveAuthentication=no’\r\n")
<ea-krishna.admin.virginia.edu> Failed to connect to the host via ssh: Invalid option: ‘KbdInteractiveAuthentication=no’
ea-krishna.admin.virginia.edu | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in "/tmp", for more error information use -vvv. Failed command was: ( umask 77 && mkdir -p "echo $HOME/.ansible/tmp"&& mkdir "echo $HOME/.ansible/tmp/ansible-tmp-1676913038.373544-29753714-228961199446076" && echo ansible-tmp-1676913038.373544-29753714-228961199446076="echo $HOME/.ansible/tmp/ansible-tmp-1676913038.373544-29753714-228961199446076" ), exited with result 1”,
“unreachable”: true
}

2

Not all options are available to users for configuration. KbdInteractiveAuthentication is one that cannot be changed unless you use password based authentication, as it’s a hard coded config in the ssh plugin.

The other option would be to write your own connection plugin.