Hello guys,
I’m trying to use the ansible_authorized keys to create VMs (with packer and terraform), adding my workspace key to VMs authorized keys.
I think it worked because if I execute ''ssh root@myVM", it connects without asking password.
But when I execute “ansible all -m ping -u root” to that same host, it fails with the error “sshh fails to connect to host via ssh. Permission denied”.
I’m really confused and struggling to understand that, since a raw ssh works and the ansible ssh doesn’t.
What am I missing??
Thanks in advance!
You also add ssh_keys to the same host.
like below
#ssh-copy-id root@loclahost or ssh-copy-id root@127.0.0.1
Thanks
Hi Chen,
AFAIK, ssh-copy-id does exactly what the ansible module ‘authorized_keys’ does, which is copy the desired ssh-key to the server authorized_keys.
If I’m correct, this step is already done, so the problem is something else 
Hi,
ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.
Check host entry in /etc/host file
127.0.0.1 localhost
Check command# ansible localhost -m ping -vv
Thanks.
Hi Chen,
I’m aware of ssh-key gen and ssh-copy-id. The ansible module “authorized_keys” does the ssh-copy-id for me, so I don’t need to run it manually.
The ssh works because when I execute ''ssh root@myAddress", it works perfectly.
The problem is when doing exact the same thing, but with ansible.
As I am aware Ansible always assumes jobs are running SSH keys either local system or remote system.
Thanks.
Hi Chen,
I manage to solve the problem. I need to pass the public key of a different user. In addition, I changed the way to connect to the VMs, since I am using openstack, I configured ansible to use the keypair to connect.
Thanks
Hi Fabio,
I see you found a solution, but this is what I'd recommend doing next time.
Add -vvv and read the resulting output carefully. You can splice the ssh command from Ansible back into the shell to work out what is missing or different to just running ssh@<foo> locally.
Usually this is because the username is different or you’re using a different ssh key than expected.
e.g.:
$ ansible-playbook site.yml --diff --check -vvv
Gathering Facts...
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<www@i09.com> ESTABLISH SSH CONNECTION FOR USER: root
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=30 -tt i09.com 'which -s jailme'
<i09.koan-ci.com> ESTABLISH SSH CONNECTION FOR USER: ansible
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 i09.com '/bin/sh -c '"'"'/usr/local/bin/python2.7 && sleep 0'"'"''
<i09.com> (255, '', 'root@i09com: Permission denied (publickey).\r\n')
...
you can then try `ssh -F ./ssh_config -o ....` until you see what's missing. Check User= first.
I have some further settings in ansible.cfg and a per-customer ssh_config, in a git repo:
# ansible.cfg
[defaults]
inventory = ./hosts.ini
forks = 20
timeout = 30
poll_interval = 15
transport = ssh
retry_files_enabled = False
[ssh_connection]
ssh_args = -F ./ssh_config
pipelining = True
# ssh_config
Host *.i09.com www api beta couchdb cache rabbit vault
UseRoaming no
GSSAPIAuthentication no
KbdInteractiveAuthentication no
ServerAliveInterval 240
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
ControlPersist 30m
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
SendEnv VAULT_TOKEN
port 2200
user ansible
ForwardAgent yes
Hi Fabio,
can you please clarify how you managed to solve it. I created user ansible, the public keys ID_RSA.pub are stored under /home/ansible/.ssh folders. the ssh-copy-id should copy to target server - client when I run
ssh-copy-id ansible@privateip.
I create same user name ‘ansible’ on remote server.
I get permission denied error.
Hi Arvind,
It was pretty simple 'cause I was messing up the users.
Are you running your playbook with root? Which user you set on your hosts as ansible_user? Are you using become inside your playbooks?
Also, I stopped using ssh, instead I’m using openstack keypair.
And try Dave’s suggestion, it’s very useful:
Hi Fabio,
I see you found a solution, but this is what I’d recommend doing next time.
Add -vvv and read the resulting output carefully. You can splice the ssh command from Ansible back into the shell to work out what is missing or different to just running ssh@ locally.
Usually this is because the username is different or you’re using a different ssh key than expected.
e.g.:
$ ansible-playbook site.yml --diff --check -vvv
Gathering Facts…
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<www@i09.com> ESTABLISH SSH CONNECTION FOR USER: root
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=30 -tt i09.com ‘which -s jailme’
<i09.koan-ci.com> ESTABLISH SSH CONNECTION FOR USER: ansible
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 i09.com ‘/bin/sh -c ‘"’"’/usr/local/bin/python2.7 && sleep 0’“'”‘’
<i09.com> (255, ‘’, ‘root@i09com: Permission denied (publickey).\r\n’)
And finally, if possible, post your playbook.
Hi Fabio,
I am not using the playbook for this particular task, I am creating an ansible control server and client. I am trying to connect from control server to client after generating the ssh keys.
I used ssh-keygen on ubuntu server using ansible user. I am setting a passwordless connection from the ansible control server /localhost to client.
Sorry, couldnt look further.
Could you provide any log of the permission denied you’re getting?