Hi
I have an automated script launched from an Azure ARM template. It runs on a master node and invokes Ansible to deploy configurations on nodes.
The question is how to make Ansible function unattended i.e. w/o ssh blocking in prompting for pass-phrase or failing because the id_rsa has a blank pass-phrase.
THE SCRIPT WILL FAIL NO MATTER WHAT - because SSH expects a private key to be protected by a passphrase.
The ask for help is:
- what setting in sshd_config on the node (or ssh_config on master) will allow one of the following
- ssh not skipping the blank-password id_rsa blank pass-phrase private key
or - ssh will take an id_rsa key with pass-phrase but won’t ask for the pass-phrase but just continue
- or there is a way to configure ansible to use ssh with passphrase-protected private keys w/o blocking in “enter passphrase” prompt??
The script runs inside the automation engine can’t / don’t know to use passphrase-protected private keys - because no-one can enter the id_rsa passphrase.
The tricks with ssh_agent and ssh_add fed a password won’t work in the real case (tried) because ansible is invoked with runuser -l -c “” - hence these are “child” sessions
(it works for a very simple case using a non-blank passphrase id_rsa and the ssh-add-pass expect script to automatically feed ssh-add the password then “ansible all -m ping -v” is all green in that session - but this won’t help)
The private / public keys have been generated externally and already set on master and nodes by the Azure Agent before the Ansible script runs.
Tried multiple simple variants using on the master something like ssh -vvv -i <id_rsa key> -E <node 0 IP>. The keys are generated externally and imported on the master (private) and authorized_keys (.pup on nodes)
-
Set BatchMode to yes in ssh_config on the master and use blank passphrase id_rsa
-
Set BatchMode to yes in ssh_config on the master and use non blank passphrase id_rsa
-
Set BatchMode to no in ssh_config on the master and use blank passphrase id_rsa
-
Set BatchMode to no in ssh_config on the master and use non blank passphrase id_rsa
-
and 2) will silently fail. Test case 3) will keep asking for a passphrase and will fail. Test case 4 obviously works after prompting for passphrase
Here are some excerpts from traces
- …
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/id_rsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
2)…
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ./id_rsa_wpass_on_node0
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:C/iGE4IdHhDGZKLeQaoEJkkRTOXbYoj3z3yJMYn3ogA
debug3: sign_and_send_pubkey: RSA SHA256:C/iGE4IdHhDGZKLeQaoEJkkRTOXbYoj3z3yJMYn3ogA
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
- … prompted “Enter passphrase for key ‘.ssh/id_rsa’:” and pressing Enter
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: .ssh/id_rsa
debug2: no passphrase given, try next key
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
- … prompted “Enter passphrase for key ‘./id_rsa_wpass_on_node0’:” enter passphrase and it works
Last login: Sun Aug 5 19:03:30 2018 from 10.1.0.5
[clusteradmin@ostest-node-0 ~]$
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ./id_rsa_wpass_on_node0
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:C/iGE4IdHhDGZKLeQaoEJkkRTOXbYoj3z3yJMYn3ogA
debug3: sign_and_send_pubkey: RSA SHA256:C/iGE4IdHhDGZKLeQaoEJkkRTOXbYoj3z3yJMYn3ogA
debug3: send packet: type 50
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to ostest-node-0 ([10.2.0.5]:22).
Please advise - any idea welcome