Hello,
i already asked the support but they mean that 2FA is not supported yet.
I tried it with Ansible Tower and only with Ansible but no way to make it work.
In my test environment i used two Debian 8.3 server with Duo Unix (https://duo.com/docs/duounix#linux-distribution-packages)
I found that when i comment the line in /etc/ssh/sshd_config:
AuthenticationMethods publickey,keyboard-interactive
It works then, but it’s necessary for Duo.
The output of Tower:
`
<192.168.1.22> ESTABLISH SSH CONNECTION FOR USER: ansible
<192.168.1.22> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=6448 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansibleupd -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_s7mKlq/cp/ansible-ssh-%h-%p-%r -tt 192.168.1.22 ‘/bin/sh -c ‘"’"’( umask 22 && mkdir -p “echo $HOME/.ansible/tmp/ansible-tmp-1456663535.16-219210006639418” && echo “echo $HOME/.ansible/tmp/ansible-tmp-1456663535.16-219210006639418” )‘"’"‘’
fatal: [192.168.1.22]: UNREACHABLE! => {“changed”: false, “msg”: “SSH encountered an unknown error. The output was:\nOpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for \r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket "/tmp/ansible_tower_s7mKlq/cp/ansible-ssh-192.168.1.22-22-ansible" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to 192.168.1.22 [192.168.1.22] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 9979 ms remain after connect\r\ndebug1: identity file /var/lib/awx/.ssh/id_rsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_dsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ecdsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ed25519 type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u1\r\ndebug1: match: OpenSSH_6.7p1 Debian-5+deb8u1 pat OpenSSH compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: load_hostkeys: loading entries for host "[192.168.1.22]:22" from file "/var/lib/awx/.ssh/known_hosts"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com\r\ndebug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: mac_setup: setup hmac-sha1-etm@openssh.com\r\ndebug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com zlib@openssh.com\r\ndebug2: mac_setup: setup hmac-sha1-etm@openssh.com\r\ndebug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com zlib@openssh.com\r\ndebug1: sending SSH2_MSG_KEX_ECDH_INIT\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: ECDSA bf:76:fe:be:e0:c7:93:96:2e:56:b6:91:72:8f:24:9b\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: load_hostkeys: loading entries for host "[192.168.1.22]:22" from file "/var/lib/awx/.ssh/known_hosts"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: load_hostkeys: loading entries for host "[192.168.42.4]:6448" from file "/var/lib/awx/.ssh/known_hosts"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug1: Host ‘[192.168.42.4]:6448’ is known and matches the ECDSA host key.\r\ndebug1: Found key in /var/lib/awx/.ssh/known_hosts:13\r\ndebug1: ssh_ecdsa_verify: signature correct\r\ndebug2: kex_derive_keys\r\ndebug2: set_newkeys: mode 1\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug2: set_newkeys: mode 0\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug2: key: /tmp/ansible_tower_s7mKlq/credential (0x7f656db6aa60),\r\ndebug2: key: /var/lib/awx/.ssh/id_rsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_dsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: publickey\r\ndebug3: start over, passed a different list publickey\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Offering RSA public key: /tmp/ansible_tower_s7mKlq/credential\r\ndebug3: send_pubkey_test\r\ndebug2: we sent a publickey packet, wait for reply\r\ndebug1: Server accepts key: pkalg ssh-rsa blen 277\r\ndebug2: input_userauth_pk_ok: fp 5b:ae:81:a1:27:f1:c8:26:40:f5:9e:bc:d7:77:f9:ef\r\ndebug3: sign_and_send_pubkey: RSA 5b:ae:81:a1:27:f1:c8:26:40:f5:9e:bc:d7:77:f9:ef\r\nAuthenticated with partial success.\r\ndebug2: key: /tmp/ansible_tower_s7mKlq/credential (0x7f656db6aa30),\r\ndebug2: key: /var/lib/awx/.ssh/id_rsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_dsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: keyboard-interactive\r\ndebug3: start over, passed a different list keyboard-interactive\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug1: No more authentication methods to try.\r\nPermission denied (keyboard-interactive).\r\n”, “unreachable”: true}
to retry, use: --limit @ansible_apt.retry
PLAY RECAP *********************************************************************
192.168.1.22 : ok=0 changed=0 unreachable=1 failed=0
`