Help: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}

Archives Ansible Project
1

Hi Ansible Gurus,
I’m trying to automate some of my manual tasks on a VM.
As part of that my VM doesn’t have direct root access.
So I’ve to use a different user and then escalate to root.
When I try to switch to root user, the password prompt is different than the default prompt.
The prompt I see is as shown below

2

Ramu,

I’m not sure how you are executing the playbook. There are flags that are required to prompt for privilege escalation credentials. The flag “–ask-become-pass” or “-K” will provide a prompt for entering the su password.

For example, when I run certain playbooks I run

ansible-playbook path/to/some/playbook.yml -Kku username

This is
-K : su password
-k : ssh password
-u : user to connect as

The privilege escalation will not pick up the variable you have written into your playbook and use that to escalate.

I hope this helps clear this up some.

3

Hi Patrick,
Thanks for the kind response.
I’m passing the su password in my playbook itself using the vars
ansible_become_pass: “r00t”

And I tried the option of passing it using -K.

Thanks,
Ramu

4

Ramu,

Are you able to run the following ad-hoc ansible command (replacing “” with the actual username)

ansible vm-1 -m ping -kKu <username> -b --become-method=su --become-user=root

This should prompt you for the SSH password and then the SU password.

You should get output similar to below:

vm-1 | SUCCESS => { "changed": false, "ping": "pong" }

This is a simple way that I am able to check connections and privilege escalation. If this succeeds we may need to look at how you launch the playbook, or perhaps a closer look at the playbook itself.

Let me know, Thanks!

5

Hi Patrick,
Once again thanks for the response.
I tried that and it failed with the same error.

Here is the output:

6

Hmmm…

Ok, so I’m getting stumped here.

Reading back on your original post; are you able to become the root user manually (not using ansible, but logging in via SSH with the user and then running su - root)?

You may need to correct permissions on the server before being able to escalate privileges with Ansible. Is the user part of the wheel group?

Thanks,
Patrick

7

Hi Patrick,
Yes. I’m able to login manually and become root.
Below is the output.

8

Here you are logged in as user1, but in this previous example you are using the user rdb

   root@ubuntu:/var/tmp/# ansible vm-1 -m ping -kKu rdb -b --become-method=su --become-user=root
   SSH password:
   SU password[defaults to SSH password]:
   oam2 | FAILED! => {
     "msg": "Timeout (12s) waiting for privilege escalation prompt: "
   }

Ref the "-u rdb" in the above command.

You would need to login with the same user, rdb, to check if you can do su with that user.

If that works you need to add -vvvv to you ansible command so that Ansible output connection information.

9

Kai,
Yes. I logged in with correct user. But it’s copy paste error.

Here is the verbose output.

<1.2.3.4> (0, ‘ansible-tmp-1533072148.28-279979573550115=/home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115\n’, ‘OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 15640\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n’)
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/system/ping.py
<1.2.3.4> PUT /root/.ansible/tmp/ansible-local-15625S_C9qw/tmpLOijTW TO /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py
<1.2.3.4> SSH: EXEC sshpass -d12 sftp -o BatchMode=no -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=rdb -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/de671cab3f ‘[1.2.3.4]’
<1.2.3.4> (0, ‘sftp> put /root/.ansible/tmp/ansible-local-15625S_C9qw/tmpLOijTW /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py\n’, ‘OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 15640\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug2: Remote version: 3\r\ndebug2: Server supports extension “posix-rename@openssh.com” revision 1\r\ndebug2: Server supports extension “statvfs@openssh.com” revision 2\r\ndebug2: Server supports extension “fstatvfs@openssh.com” revision 2\r\ndebug2: Server supports extension “hardlink@openssh.com” revision 1\r\ndebug2: Server supports extension “fsync@openssh.com” revision 1\r\ndebug3: Sent message fd 5 T:16 I:1\r\ndebug3: SSH_FXP_REALPATH . → /home/rdb size 0\r\ndebug3: Looking up /root/.ansible/tmp/ansible-local-15625S_C9qw/tmpLOijTW\r\ndebug3: Sent message fd 5 T:17 I:2\r\ndebug3: Received stat reply T:101 I:2\r\ndebug1: Couldn't stat remote file: No such file or directory\r\ndebug3: Sent message SSH2_FXP_OPEN I:3 P:/home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py\r\ndebug3: Sent message SSH2_FXP_WRITE I:4 O:0 S:32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 4 32768 bytes at 0\r\ndebug3: Sent message SSH2_FXP_WRITE I:5 O:32768 S:32768\r\ndebug3: Sent message SSH2_FXP_WRITE I:6 O:65536 S:302\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 5 32768 bytes at 32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 6 302 bytes at 65536\r\ndebug3: Sent message SSH2_FXP_CLOSE I:4\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n’)
<1.2.3.4> ESTABLISH SSH CONNECTION FOR USER: rdb
<1.2.3.4> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=rdb -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ControlPath=/root/.ansible/cp/de671cab3f 1.2.3.4 ‘/bin/sh -c ‘"’“‘chmod u+x /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py && sleep 0’”’“‘’
<1.2.3.4> (0, ‘’, ‘OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 15640\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n’)
<1.2.3.4> ESTABLISH SSH CONNECTION FOR USER: rdb
<1.2.3.4> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=rdb -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ControlPath=/root/.ansible/cp/de671cab3f -tt 1.2.3.4 '/bin/sh -c '”‘“'su root -c '”’“'”‘"’“'”‘"’“'/bin/sh -c '”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘“‘echo BECOME-SUCCESS-uoqicabaewvrilicfbsweoportlzqwse; /usr/bin/python /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py’”’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“'”‘"’“‘’”‘"’“'”‘"’“'”‘"’ && sleep 0’“'”‘’
oam2 | FAILED! => {

10

Unfortunately it didn't give any more information.

Sshpass just look for "assword:" do determine when it should provide the password for ssh.
I thought that Ansible did that for su prompt as well, but I was wrong after looking at source code.
It has support for a bunch of languages but the prompt need to be "<some_word>'s password" or "password" for English and it's case insensitive.

So your prompt "Enter login password:" will not work.
There is no way of configuring this, but patching Ansible to make it work isn't hard, but then you would need to maintain your own Ansible version.

11

Correction, the strings must be "<some_word>'s password: " or "password: ".

12

Hi all I am facing error in aws please help.

[root@server2 ~]# ssh -i bhadra.pem ec2-user@ec2-50-112-6-190.us-west-2.compute. amazonaws.com
The authenticity of host ‘ec2-50-112-6-190.us-west-2.compute.amazonaws.com (50.1 12.6.190)’ can’t be established.
ECDSA key fingerprint is 1f:1b:6b:13:d2:7a:b5:a4:4b:78:84:b7:98:05:ab:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘ec2-50-112-6-190.us-west-2.compute.amazonaws.com,50. 112.6.190’ (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for ‘bhadra.pem’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: bhadra.pem
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

13

Thanks Kai.
Yes, It looks the file " play_context.py" has hardcoded the prompt to contain something from the below list

TODO: needs to be configurable

b_SU_PROMPT_LOCALIZATIONS = [

to_bytes(‘Password’),

to_bytes(‘암호’),

to_bytes(‘パスワード’),

to_bytes(‘Adgangskode’),

to_bytes(‘Contraseña’),

to_bytes(‘Contrasenya’),

to_bytes(‘Hasło’),

to_bytes(‘Heslo’),

to_bytes(‘Jelszó’),

to_bytes(‘Lösenord’),

to_bytes(‘Mật khẩu’),

to_bytes(‘Mot de passe’),

to_bytes(‘Parola’),

to_bytes(‘Parool’),

to_bytes(‘Pasahitza’),

to_bytes(‘Passord’),

to_bytes(‘Passwort’),

to_bytes(‘Salasana’),

to_bytes(‘Sandi’),

to_bytes(‘Senha’),

to_bytes(‘Wachtwoord’),

to_bytes(‘ססמה’),

to_bytes(‘Лозинка’),

to_bytes(‘Парола’),

to_bytes(‘Пароль’),

to_bytes(‘गुप्तशब्द’),

to_bytes(‘शब्दकूट’),

to_bytes(‘సంకేతపదము’),

to_bytes(‘හස්පදය’),

to_bytes(‘密码’),

to_bytes(‘密碼’),

to_bytes(‘口令’),

]

This leaves the flexibility of customization.
Rather the ansible should provide an option to specify the custom prompt messages. If we see there is a TODO note in the code.
May be we need to raise this as an issue to ansible team.

Thanks,
Ramu

14

Hi Badra,
To your question, the ssh key permission should be 600. In your case you set it as 644.
Please change it to 600 using : chmod 0600 bhadra.pem
And try running the play.
Also please change the subject.

regards,
Ramu