I’m trying to run commands against a remote host and even a simple ad hoc ping fails, with the error ‘“/bin/sh” isn't allowed to be executed’. The error message changes to ‘/bin/bash’ when I add “executable = /bin/bash” in ansible.cfg. Adding the -b switch makes no difference. When looging in manually ssh with the same user/key combination works just fine. The system in question is SLES11 and runs Python 2.6.
It would help if you show the commands attempted and the full error,
even using -vvv to make the output verbose.
Hi Brian,
The command and output is below.
The thing that I find odd is that, to the best of my knowledge, ansible uses the ssh client config of user by default. The same user that runs ansible (root in this case) gets the correct username (not root) and SSH key from ~/.ssh/config and is able to log in the cost against which the ad hoc play is run. I’m wondering if there’s something funny about this host.
root@WDFN34201151A:/mnt/c/Users/user/Documents/Projects/Ansible_Playbooks/Automation# ansible -vvv -m ping control
Using /mnt/c/Users/D069683/Documents/Projects/Ansible_Playbooks/Automation/ansible.cfg as config file
META: ran handlers
Using module file /root/.local/lib/python2.7/site-packages/ansible/modules/system/ping.py
<clts.rot.od.sap.biz> ESTABLISH SSH CONNECTION FOR USER: user
<clts.rot.od.sap.biz> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=user -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/7dd2444b86 clts ‘/bin/sh -c ‘"’“‘echo ~ && sleep 0’”’“‘’
(1, ‘’, n\n”/bin/sh" isn't allowed to be executed.\n’)
ESTABLISH SSH CONNECTION FOR USER: user
SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=user -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/7dd2444b86 clts.rot.od.sap.biz ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199” && echo ansible-tmp-1499884456.62-175962548351199=“echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199” ) && sleep 0’“'”‘’
(1, ‘’, ‘“/bin/sh” isn't allowed to be executed.\n’)
clts | UNREACHABLE! => {
“changed”: false,
“msg”: “Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed command was: ( umask 77 && mkdir -p "echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199" && echo ansible-tmp-1499884456.62-175962548351199="echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199" ), exited with result 1”,
“unreachable”: true
}
root@WDFN34201151A:/mnt/c/Users/user/Documents/Projects/Ansible_Playbooks/Automation#
I think I’ve figured out what is causing the issue. I don’t know what to do solve the issue. Sudosh has been configured to only allow certain commands via remote shell. On a test system running more or less the same setup I can configure sudosh (/etc/sudosh.conf) to allow all commands. I don’t want to do that on this machine as it would undermine security. I’d rather figure out what Ansible needs and request that. Any ideas what commands would need to be allowed to let Ansible do its thing?
Ansible runs arbitrary code/commands (modules) so when using privilege
escalation it does not support restrictive setups, see docs
http://docs.ansible.com/ansible/become.html