I successfully created and tested some Ansible playbooks, that’s when ansible_ssh_pass parameter value is the actual password of the ansible_user for the involved server specified in a group in the /etc/ansible/hosts file. But when the ansible_ssh_pass parameter was replaced with its salt encrypt value for security reasons, the playbook run would fail with the server Unreachable. Please advise.
The ansible_ssh_pass parameter is meant to supply the plain text password only.
Anything else ("salt encrypt value" - whatever that may be) won't work.
If you're looking to improve security then move away from password
authentication and start using public key auth.
Dick
Also check out Ansible- Vault for more security.
Daniel,
This is the configuration I have for this server that belongs to the apacheservers group that worked, with the root password explicitly entered in the ansible_ssh_pass parameter.
[apacheservers]
TestRHEL73tr1 ansible_host=XX.X.XX.XXX ansible_port=22 ansible_user=root ansible_ssh_pass=
I tried to use the vault by creating a .vault_pass file with its content ansible_ssh_pass=value of root password, and then ran ansible-playbook CreateTestfile.yml --vault-password-file /root/.vault_pass, but I got this following error message:
Attempted to read “/etc/ansible/hosts” as ini file: /etc/ansible/hosts:16: Expected key=value host variable assignment, got: ansible_ssh_pass
Please help on how to properly use the vault concept in securing ansible playbook run.
Thanks,
Lorenzo
Dick, How can I start using public key auth on Ansible? What’s its procedure/process and the commands to use in running ansible-playbook when using it? - Thanks, Lorenzo
I also want to know if anyone can help on how to fix this problem as even though I put back the plain text password to the ansible_ssh_pass parameter, the playbook run would still fail with the server Unreachable on the server that had the parameter replaced with its salt encrypt value.
I noticed that even now when I enter the plain text password on the ansible_ssh_pass parameter for the server in the /etc/ansible/hosts file, I would still get the same error message on playbook run when I attempted to use the vault. Can someone help on how this can be resolved so at least I can run the playbook like before with the plain text password on ansible_ssh_pass parameter.
I tried to use the vault by creating a .vault_pass file with its content ansible_ssh_pass=value of root password, and then ran ansible-playbook CreateTestfile.yml --vault-password-file /root/.vault_pass, but I got this following error message:
Attempted to read “/etc/ansible/hosts” as ini file: /etc/ansible/hosts:16: Expected key=value host variable assignment, got: ansible_ssh_pass
To clarify some terms:
‘vault password’: A password used by vault to encrypt/decrypt content.
‘passwords stored in vault’: A password for something like a user auth or ssh private keys, that is stored in a vault (encrypted with ansible-vault and a vault password)
–vault-password-file is for reading a ‘vault password’ from a file. ie, a password used by vault
for decrypting/encrypting.
ansible_ssh_pass would need to be populated from a variable in a vault encrypted vars file (or inventory file) for that example.
But that is the wrong approach.
The right approach is:
Use ssh keys and ssh-agent instead of trying to store the password in ansible.
A working key based ssh and ssh-agent setup is a prerequisite for practical ansible use.
Please provide the procedure on how to add ssh-agent and ssh keys to the client with reference to Ansible control machine. My research on this task is not productive. - Thanks, Lorenzo
Working with SSH keys and agents is considered a basic sysadmin skill
and and a prerequisite for ansible, so if this turns out to be
problematic then
it's a good idea to get familiar with this first.
This list isn't the right place for that, but the topic is thoroughly
documented on numerous places on the internet.
I found a way to generate key pair using RSA on Ansible control machine, copied the public key to the client’s /.ssh/authorized_keys. When I run a playbook, it prompts me for the password I used to protect the private key. I followed the SSH Agent Forwarding with Ansible notes by configuring the ssh_args parameter in the /etc/ansible/ansible.cfg file and the SSH_AUTH_SOCK Defaults parameter in the /etc/sudoers file of the client; but I’m still getting prompted with the password for private key on playbook run. What’s the procedure to make the playbook run passwordless? - Thanks, Lorenzo
There’s not much documentation on this procedure man. I tried to set it up and failed. However, I don’t have a Cert server so I tried using a SSL cert. Here are a couple of links I found that will give you some where to start.
https://github.com/ansible/ansible/issues/16243
http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm
The directions are for a remote PS from Windows to Windows. The Ansible side is easy most of the setup is on the Windows Host…