Incorrect sudo password on HP-UX

I have a group of old HP-UX servers that I need to manage with Ansible. I started by installing python-2.7.13 on one server, then testing with a simple Ansible ping:

sinuid06-> ansible sinuid02 -m ping
sinuid02 | SUCCESS => {
“changed”: false,
“ping”: “pong”
}

That went well. Then I tried to do the same test but with sudo:

sinuid06-> ansible sinuid02 -bK -m ping
SUDO password:
sinuid02 | FAILED! => {
“failed”: true,
“msg”: “Incorrect sudo password”
}

But sudo works when I log into the server and type the command:

sinuid02-> sudo -i
Password:

Value of TERM has been set to “putty”.
WARNING: YOU ARE SUPERUSER !!

And Ansible works when I use the raw module with sudo:

sinuid06-> ansible sinuid02 -sK -m raw -a id
SUDO password:
sinuid02 | SUCCESS | rc=0 >>

uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

But it fails with the shell or command modules:

sinuid06-> ansible sinuid02 -sK -m command -a id
SUDO password:
sinuid02 | FAILED | rc=0 >>
Incorrect sudo password

I tried updating sudo on the target server, but that did not help:

sinuid02-> sudo --version
Sudo version 1.8.20p2
Sudoers policy plugin version 1.8.20p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.20p2

So what is different about how the modules execute sudo on HP-UX and what can I do to correct it?

-Mark

Not sure the answer to your question but you can get some more information from ansible that may help.

Use -vvvvv as an option and you’ll see a printout of what command lines ansible is trying to run over the ssh connection.

-Toshio

-vvvv did not show anything that was helpful:

sinuid06-> ansible sinuid02 -sK -m ping -vvvv
Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 ‘/bin/sh -c ‘"’“‘sudo -H -S -p “[sudo via ansible, key=wjfyztinvbxyowftkcxbdswpcgknzxpc] password: " -u root /bin/sh -c '”’”’“'”‘"’“'”‘“‘echo BECOME-SUCCESS-wjfyztinvbxyowftkcxbdswpcgknzxpc; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python’”’“'”‘"’“'”‘"’“’ && sleep 0’”‘"’’
sinuid02 | FAILED! => {
“failed”: true,
“msg”: “Incorrect sudo password”
}

But what did make a difference was setting ANSIBLE_KEEP_REMOTE_FILES=1:

sinuid06-> ANSIBLE_KEEP_REMOTE_FILES=1 ansible sinuid02 -sK -m command -a id
SUDO password:
sinuid02 | SUCCESS | rc=0 >>
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

So somehow forcing the remote system to save the module files made it work. This is very puzzling.
-Mark

The debug output from when I ANSIBLE_KEEP_REMOTE_FILES=1 is significantly different from when I do not set that:

sinuid06-> ANSIBLE_KEEP_REMOTE_FILES=1 ansible sinuid02 -sK -m ping -vvvv
Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685” && echo ansible-tmp-1501605634.85-254507764792685=“echo $HOME/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685” ) && sleep 0’“'”‘’
PUT /tmp/tmpTO4oao TO /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ping.py
SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r ‘[sinuid02]’
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 ‘/bin/sh -c ‘"’“‘chmod u+x /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ping.py && sleep 0’”’“‘’
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r -tt sinuid02 '/bin/sh -c '”‘“‘sudo -H -S -p “[sudo via ansible, key=rfgzwshkypvukgrzrjwgjayzwslvshum] password: " -u root /bin/sh -c '”’”’“'”‘"’“'”‘“‘echo BECOME-SUCCESS-rfgzwshkypvukgrzrjwgjayzwslvshum; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ping.py’”’“'”‘"’“'”‘"’“’ && sleep 0’”‘"’’
sinuid02 | SUCCESS => {
“changed”: false,
“invocation”: {
“module_args”: {
“data”: null
},
“module_name”: “ping”
},
“ping”: “pong”
}

Specifically, when I do not set the variable, I do not see a call to sftp to copy the ping.py file to the target server, but I do see that when I set the variable. I do not know enough about how Ansible operates to know if that is significant or not.
-Mark

Using ANSIBLE_KEEP_REMOTE_FILES also disables ssh ‘pipelining’, so I suspect just disabling pipelining may may also work.

See http://docs.ansible.com/ansible/latest/intro_configuration.html#pipelining

Try:

$ ANSIBLE_SSH_PIPELINING=0 ansible -vvvvv sinuid02 -sK -m command -a id

And then:

$ ANSIBLE_SSH_PIPELINING=1 ansible -vvvvv sinuid02 -sK -m command -a id

If ANSIBLE_SSH_PIPELINING=0 works and ANSIBLE_SSH_PIPELINING=1 fails, that narrows the problem down.

It worked exactly as you predicted, disabling pipelining resulted in success, enabling pipelining caused failure:

sinuid06-> ANSIBLE_SSH_PIPELINING=0 ansible sinuid02 -bK -m ping -vvvv
Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 ‘/bin/sh -c ‘"’"’( umask 77 && mkdir -p “echo $HOME/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397” && echo ansible-tmp-1501685240.38-249800991666397=“echo $HOME/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397” ) && sleep 0’“'”‘’
PUT /tmp/tmpSBgbKg TO /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ping.py
SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r ‘[sinuid02]’
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 ‘/bin/sh -c ‘"’“‘chmod u+x /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ping.py && sleep 0’”’“‘’
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r -tt sinuid02 '/bin/sh -c '”‘“‘sudo -H -S -p “[sudo via ansible, key=tlsiocbaqshesaoykfdbxhrvmgykhppm] password: " -u root /bin/sh -c '”’”’“'”‘"’“'”‘“‘echo BECOME-SUCCESS-tlsiocbaqshesaoykfdbxhrvmgykhppm; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ping.py; rm -rf “/home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/” > /dev/null 2>&1’”’“'”‘"’“'”‘"’“’ && sleep 0’”‘"’’
sinuid02 | SUCCESS => {
“changed”: false,
“invocation”: {
“module_args”: {
“data”: null
},
“module_name”: “ping”
},
“ping”: “pong”
}

sinuid06-> ANSIBLE_SSH_PIPELINING=1 ansible sinuid02 -bK -m ping -vvvv
Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/init.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
ESTABLISH SSH CONNECTION FOR USER: None
SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 ‘/bin/sh -c ‘"’“‘sudo -H -S -p “[sudo via ansible, key=mqoctsbwdszgvkvzodlrvtvojlkrgpdo] password: " -u root /bin/sh -c '”’”’“'”‘"’“'”‘“‘echo BECOME-SUCCESS-mqoctsbwdszgvkvzodlrvtvojlkrgpdo; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python’”’“'”‘"’“'”‘"’“’ && sleep 0’”‘"’’
sinuid02 | FAILED! => {
“failed”: true,
“msg”: “Incorrect sudo password”
}

I tried ensuring that ‘requiretty’ was disabled in my sudoers file, but that did not change anything. I guess as a work-around I can instruct everyone to disable pipelining when working with HP-UX, but that is going to be cumbersome and and point of constant error when someone forgets.
-Mark

I thought it might be the special characters in my password. They sometimes do not pass properly in pipeline streams.
I tried the following:

ssh -tt sinuid02 “echo ‘my#password’ | sudo -S id”
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

That worked. But this way failed:

echo ‘my#password’ | ssh -tt sinuid02 “sudo -S id”
Password: Sorry, try again.
Password:
sudo: 1 incorrect password attempt

Then tried escaping the special characters:

echo ‘my#password’ | ssh -tt sinuid02 “sudo -S id”
my#password
Password:
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

That led me to believe that indeed that is the problem. But when I tried escaping special characters when entering my password or just removing special characters altogether from my password, Ansible still fails. I even set sudoers to allow me to run commands with no password, and that still fails through Ansible unless I disable pipelining.
The bottom line is that there issues with the combination of pipelining and Ansible.
-Mark