How does Ansible know what account to use for the SSH connection and sudo

Archives Ansible Project
1

I do not understand how this example works for user foo

If I have not stated the user account to use for the ssh connection within the command line using: ansible_ssh_user=foo
or the Ansible host file: /etc/ansible/hosts

Is the current user account used as the ssh connection to a remote server if not specified on the command line or within the file**: /etc/ansible/hosts** ?

If so, does the logic for which user account to use for the ssh connection go like this:

Use the current user account, unless specified in the command line using command: ansible_ssh_user=foo
and if not specified in the /etc/ansible/hosts file as: ansible_ssh_user=foo

Ansible Local Server Remote server
local-01 remote-01

Local User foo → ssh → Remote user foo

So in this example:
(1) Local user running /usr/bin/ansible is foo
(2) Remote user is an account on the remote box remote-01 which is also named foo
(3) sudoing will sudo to the remote account foo. Which as you say is a no-op.

Server local-01
[root@local-01 /]# grep sudo_user /etc/ansible/ansible.cfg
sudo_user = root
[root@local-01 /]# cat /etc/ansible/hosts
[servers]
remote-01
[root@local-01 /]#

Ansible command
[root@local-01 ~]# su - foo
[foo@local-01 ~]$ ssh foo@remote-01 whoami
foo
[foo@local-01 ~]$ ansible remote-01 -m command -a “whoami”
remote-01 | success | rc=0 >>
foo
[foo@local-01 ~]$

Question
How does the above Ansible command work if I have not specified the user account for the SSH connection or the local user account either within
the command line, /etc/ansible/ansible.cfg or within the file /etc/ansible/hosts ?

Is this not the function of the parameters ansible_ssh_user and ansible_sudo_user ?

Should I not need to specify this: ansible_ssh_user=foo ?
Even if I do not need this: ansible_sudo_user=foo ?

2

I do not understand how this example works for user foo

If I have not stated the user account to use for the ssh connection within
the command line using: ansible_ssh_user=foo
or the Ansible host file: /etc/ansible/hosts

Is the current user account used as the ssh connection to a remote server if
not specified on the command line or within the file: /etc/ansible/hosts ?

Correct.

If so, does the logic for which user account to use for the ssh connection
go like this:

Use the current user account, unless specified in the command line using
command: ansible_ssh_user=foo

Via the command line:
* for /usr/bin/ansible use: -u foo
  /usr/bin/ansible rhel7-test -u ansibletest1 -a whoami
* for /usr/bin/ansible-playbook you can use -u foo if nothing else is
setting the user (not in /etc/ansible/hosts or the playbook). If you
really want to override what's specified in hosts or the playbook use
-e ansible_ssh_user=foo:
  ansible-playbook test.yml -v -e 'ansible_ssh_user=ansibletest1'

and if not specified in the /etc/ansible/hosts file as:
ansible_ssh_user=foo

Ansible Local Server Remote server
local-01 remote-01
--------------------------- --------------------
Local User foo --> ssh --> Remote user foo

So in this example:
(1) Local user running /usr/bin/ansible is foo
(2) Remote user is an account on the remote box remote-01 which is also
named foo
(3) sudoing will sudo to the remote account foo. Which as you say is a
no-op.

#3 is only true if you've specified that foo is the sudo_user
somewhere (for instance in ansible.cfg)
Otherwise you'll be sudo'ing to root.

Server local-01
[root@local-01 /]# grep sudo_user /etc/ansible/ansible.cfg
sudo_user = root
[root@local-01 /]# cat /etc/ansible/hosts
[servers]
remote-01
[root@local-01 /]#

Ansible command
[root@local-01 ~]# su - foo
[foo@local-01 ~]$ ssh foo@remote-01 whoami
foo
[foo@local-01 ~]$ ansible remote-01 -m command -a "whoami"
remote-01 | success | rc=0 >>
foo
[foo@local-01 ~]$

<nod> This is all correct. I see that you pointed out that sudo_user
= root in ansible.cfg. So just in case you're wondering, ansible does
not sudo unless you tell it to. That would look something like this:

[foo@local-01 ~]$ ansible remote-01 -m command -a "whoami" --sudo -K
sudo password:
remote-01 | success | rc=0 >>
root

Question
How does the above Ansible command work if I have not specified the user
account for the SSH connection or the local user account either within
the command line, /etc/ansible/ansible.cfg or within the file
/etc/ansible/hosts ?

The default for ansible (and for ssh) is to use the username that you
are logged in locally as.

Is this not the function of the parameters ansible_ssh_user and
ansible_sudo_user ?

ansible_ssh_user (in /etc/ansible/hosts or another inventory file)
overrides that, yes.

ansible_sudo_user specifies which user to sudo to once you've ssh'd
into the remote box.

Should I not need to specify this: ansible_ssh_user=foo ?
Even if I do not need this: ansible_sudo_user=foo ?

In most people's environments they have the same username on all of
their boxes. So those people don't need to set ansible_ssh_user. If
you are using different usernames on the local and remote box then you
do need to set ansible_ssh_user so that ansible knows which account it
needs to ssh into on the remote machine.

-Toshio

3

Got it.

Thank you tkuratomi for the very informative answer.
Cheers

4

Note that if you are using ssh transport (not sure about Paramiko), and you have a matching host in ssh_config with a User line, that will be used.

So given that ~you/.ssh/config contains

Host myhost
User root

and you invoke the following as you

ansible myhost -a whoami

…Ansible will connect as root

5

Hi this bit is not correct: “…Ansible will connect as root”

That did confuse me as there does not seem to be any documentation for using different user accounts and how they interact with Ansible.

In my example above. The user account that Ansible uses to connect as is the foo user.

My example does the following:
Running the Ansible command as user foo on the local server local-01
User foo on the local Ansible server local-01, connects as user foo using SSH to the remote server remote-01 and reports back that it is logged in as user foo

6

ansible just calls ssh and sudo, it works the same as those tools do
because it uses those tools.

if you run ssh as 'foo' on the local server and do not specify a
remote user to connect as, ssh will use foo as the login user on the
remote machine. Ansible does exactly the same.

7

Thank you Brian. Question resolved.