Ansible passwordless login not working

Archives Ansible Project
21

I’ve tried a few connections:

It seems that ansible_user is not honoured with the network_cli plugin so make sure you’re not using that still:

$ ansible cisco -m ios_command -a “commands=‘sh ip int br’” -e ‘ansible_connection=network_cli’ -e ‘ansible_network_os=ios’ -e ‘ansible_user=ansible’ -k
SSH password:
rtr1 | FAILED! => {
“changed”: false,
“msg”: “Failed to authenticate: Authentication failed.”
}

Both remote_user and -u username work for me:

$ ansible cisco -m ios_command -a “commands=‘sh ip int br’” -e ‘ansible_connection=network_cli’ -e ‘ansible_network_os=ios’ -u ansible -k
SSH password:
rtr1 | SUCCESS => {
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/bin/python”
},
“changed”: false,
“stdout”: [
“Interface IP-Address OK? Method Status Protocol\nGigabitEthernet1 172.16.253.234 YES DHCP up up \nLoopback0 192.168.1.1 YES manual up up \nTunnel0 10.100.100.1 YES manual up up \nTunnel1 10.200.200.1 YES manual up up \nVirtualPortGroup0 192.168.35.101 YES TFTP up up”
],
“stdout_lines”: [
[
“Interface IP-Address OK? Method Status Protocol”,
"GigabitEthernet1 172.16.253.234 YES DHCP up up ",
"Loopback0 192.168.1.1 YES manual up up ",
"Tunnel0 10.100.100.1 YES manual up up ",
"Tunnel1 10.200.200.1 YES manual up up ",
“VirtualPortGroup0 192.168.35.101 YES TFTP up up”
]
]
}

$ ansible cisco -m ios_command -a “commands=‘sh ip int br’” -e ‘ansible_connection=network_cli’ -e ‘ansible_network_os=ios’ -e ‘remote_user=ansible’ -k
SSH password:
[WARNING]: Found variable using reserved name: remote_user

rtr1 | SUCCESS => {
“ansible_facts”: {
“discovered_interpreter_python”: “/usr/bin/python”
},
“changed”: false,
“stdout”: [
“Interface IP-Address OK? Method Status Protocol\nGigabitEthernet1 172.16.253.234 YES DHCP up up \nLoopback0 192.168.1.1 YES manual up up \nTunnel0 10.100.100.1 YES manual up up \nTunnel1 10.200.200.1 YES manual up up \nVirtualPortGroup0 192.168.35.101 YES TFTP up up”
],
“stdout_lines”: [
[
“Interface IP-Address OK? Method Status Protocol”,
"GigabitEthernet1 172.16.253.234 YES DHCP up up ",
"Loopback0 192.168.1.1 YES manual up up ",
"Tunnel0 10.100.100.1 YES manual up up ",
"Tunnel1 10.200.200.1 YES manual up up ",
“VirtualPortGroup0 192.168.35.101 YES TFTP up up”
]
]
}

Note that I had to remove/disable the valid SSH keys in the router, as the first auth method is publckey. Until I did this I could still connect.

I think you’re hitting this bug: https://github.com/ansible/ansible/issues/59381 which refers to https://github.com/paramiko/paramiko/issues/1390

22

[ansible@Netauto-Dev new_vlan]$ ansible -m ios_command -e commands=‘sh ip int br’ -i /etc/ansible/inventory/ R-TEST-SNIF -e ‘ansible_connection=network_cli’ -e ‘ansible_network_os=ios’ -e ‘remote_user=ansible’ -k
SSH password:
[WARNING]: Found variable using reserved name: remote_user

R-TEST-SNIF | FAILED! => {
“changed”: false,
“msg”: “No existing session”

This is my result…

I think I dont understand a couple of things:

  1. Why do you have to remove the SSH keys from the router? should’nt it use the SSH keys as primary method and then fallback to using password?

  2. What exactly did you do on the cisco device to remove the keys? (although I dont beleive it is a solution for me since I cant remove SSH keys on devices in my real network)

  3. There isn’t a way to do password authentication without removing SSH keys?

23

I only removed the SSH key to remove pub key authentication from the router. As it’s the first authentication protocol used, the ansible command was ignoring the passed in username/password.
It was for testing only. Your router config does pub key → kbd interactive → password authentication out the box. If you’ve got a working ssh key then it won’t get to password auth.

I think you’re hitting the bug I mentioned. I did some testing yesterday with pip installs around paramiko and it broke with later versions.

Check your version : pip list | grep paramiko
Try pinning it to 2.0.2 - pip install paramiko==2.0.2 (you might need to use sudo with this depending on where you’ve installed, if you’re not root)

24

Yea you are right. I am hitting this bug and I can’t see myself pulling this off.

I’ll just go with the pubkey method although I wanted to avoid it because I have lots of network devices. But no choice here because Ansible is not going to work without SSH keys on these IOS versions.

FYI,
This code is working perfectly on NXOS switches I’ve got without touching the SSH keys. Also, I read that this bug hits only IOS version 15.7 and below and does not apply on NXOS/IOS-XE/IOS 15.8 or higher.

Thank you Phil and Vladimir for your help. I’ll just go for Public Key authentication.
Peace out <3