Ansible ssh fails to connect to host via ssh. Permission denied - Raw ssh works

Fabio_Gomes_Sakiyama · October 9, 2018, 1:22am

Hello guys,

I’m trying to use the ansible_authorized keys to create VMs (with packer and terraform), adding my workspace key to VMs authorized keys.
I think it worked because if I execute ''ssh root@myVM", it connects without asking password.

But when I execute “ansible all -m ping -u root” to that same host, it fails with the error “sshh fails to connect to host via ssh. Permission denied”.

I’m really confused and struggling to understand that, since a raw ssh works and the ansible ssh doesn’t.

What am I missing??

Thanks in advance!

chenchireddy_guvvala · October 9, 2018, 1:30am

You also add ssh_keys to the same host.
like below
#ssh-copy-id root@loclahost or ssh-copy-id root@127.0.0.1

Thanks

Fabio_Gomes_Sakiyama · October 9, 2018, 1:33am

Hi Chen,

AFAIK, ssh-copy-id does exactly what the ansible module ‘authorized_keys’ does, which is copy the desired ssh-key to the server authorized_keys.

If I’m correct, this step is already done, so the problem is something else

chenchireddy_guvvala · October 9, 2018, 1:48am

Hi,

ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

Check host entry in /etc/host file
127.0.0.1 localhost

Check command# ansible localhost -m ping -vv

Thanks.

Fabio_Gomes_Sakiyama · October 9, 2018, 2:05am

Hi Chen,

I’m aware of ssh-key gen and ssh-copy-id. The ansible module “authorized_keys” does the ssh-copy-id for me, so I don’t need to run it manually.

The ssh works because when I execute ''ssh root@myAddress", it works perfectly.
The problem is when doing exact the same thing, but with ansible.

chenchireddy_guvvala · October 9, 2018, 2:47am

As I am aware Ansible always assumes jobs are running SSH keys either local system or remote system.

Thanks.

Fabio_Gomes_Sakiyama · October 9, 2018, 2:16pm

Hi Chen,

I manage to solve the problem. I need to pass the public key of a different user. In addition, I changed the way to connect to the VMs, since I am using openstack, I configured ansible to use the keypair to connect.

Thanks

dch · October 10, 2018, 7:54am

Hi Fabio,

I see you found a solution, but this is what I'd recommend doing next time.

Add -vvv and read the resulting output carefully. You can splice the ssh command from Ansible back into the shell to work out what is missing or different to just running ssh@<foo> locally.

Usually this is because the username is different or you’re using a different ssh key than expected.

e.g.:
$ ansible-playbook site.yml --diff --check -vvv

Gathering Facts...
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<www@i09.com> ESTABLISH SSH CONNECTION FOR USER: root
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=30 -tt i09.com 'which -s jailme'
<i09.koan-ci.com> ESTABLISH SSH CONNECTION FOR USER: ansible
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 i09.com '/bin/sh -c '"'"'/usr/local/bin/python2.7 && sleep 0'"'"''
<i09.com> (255, '', 'root@i09com: Permission denied (publickey).\r\n')
...

you can then try `ssh -F ./ssh_config -o ....` until you see what's missing. Check User= first.

I have some further settings in ansible.cfg and a per-customer ssh_config, in a git repo:

# ansible.cfg
[defaults]
inventory = ./hosts.ini
forks = 20
timeout = 30
poll_interval = 15
transport = ssh
retry_files_enabled = False
[ssh_connection]
ssh_args = -F ./ssh_config
pipelining = True

# ssh_config
Host *.i09.com www api beta couchdb cache rabbit vault
    UseRoaming no
    GSSAPIAuthentication no
    KbdInteractiveAuthentication no
    ServerAliveInterval 240
    ControlMaster auto
    ControlPath ~/.ssh/%r@%h:%p
    ControlPersist 30m
    KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    SendEnv VAULT_TOKEN
    port 2200
    user ansible
    ForwardAgent yes

Arvind_Thatikonda · November 19, 2018, 10:14pm

Hi Fabio,
can you please clarify how you managed to solve it. I created user ansible, the public keys ID_RSA.pub are stored under /home/ansible/.ssh folders. the ssh-copy-id should copy to target server - client when I run
ssh-copy-id ansible@privateip.
I create same user name ‘ansible’ on remote server.
I get permission denied error.

Fabio_Gomes_Sakiyama · November 19, 2018, 11:48pm

Hi Arvind,

It was pretty simple 'cause I was messing up the users.

Are you running your playbook with root? Which user you set on your hosts as ansible_user? Are you using become inside your playbooks?
Also, I stopped using ssh, instead I’m using openstack keypair.

And try Dave’s suggestion, it’s very useful:

Hi Fabio,

I see you found a solution, but this is what I’d recommend doing next time.

Add -vvv and read the resulting output carefully. You can splice the ssh command from Ansible back into the shell to work out what is missing or different to just running ssh@ locally.

Usually this is because the username is different or you’re using a different ssh key than expected.

e.g.:
$ ansible-playbook site.yml --diff --check -vvv

Gathering Facts…
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<www@i09.com> ESTABLISH SSH CONNECTION FOR USER: root
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=30 -tt i09.com ‘which -s jailme’
<i09.koan-ci.com> ESTABLISH SSH CONNECTION FOR USER: ansible
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 i09.com ‘/bin/sh -c ‘"’"’/usr/local/bin/python2.7 && sleep 0’“'”‘’
<i09.com> (255, ‘’, ‘root@i09com: Permission denied (publickey).\r\n’)

And finally, if possible, post your playbook.

Arvind_Thatikonda · November 19, 2018, 11:56pm

Hi Fabio,
I am not using the playbook for this particular task, I am creating an ansible control server and client. I am trying to connect from control server to client after generating the ssh keys.
I used ssh-keygen on ubuntu server using ansible user. I am setting a passwordless connection from the ansible control server /localhost to client.

Fabio_Gomes_Sakiyama · November 21, 2018, 8:07am

Sorry, couldnt look further.
Could you provide any log of the permission denied you’re getting?

Topic		Replies	Views
ansible fail to work with ssh Ansible Project ubuntu	9	0	March 19, 2019
authorized_key module not working Ansible Project	6	3	February 24, 2016
FAILED => SSH Error: Permission denied (publickey,password). Ansible Project ubuntu	2	1	November 2, 2015
Ansible Failing But SSH Connections are Successful Ansible Project	2	1	October 26, 2017
ansible ping fails, but can SSH to host just fine Ansible Project	1	4	April 8, 2020

Ansible ssh fails to connect to host via ssh. Permission denied - Raw ssh works

Related topics