ssh-agent with ansible.

Archives Ansible Project
1

So, learning Ansible - and following the notes http://docs.ansible.com/ansible/latest/network/getting_started/first_playbook.html

However, I don’t want to use userid/passwd information but ssh_keyfiles instead. I can ssh to my switch using ssh_keyfiles, however, ansible idoesn’t want to work with my ssh-agent environment?

user@myhost:~$ ssh-agent bash
user@myhost:~$ ssh-add -l
The agent has no identities.
user@myhost:~$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa:
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
user@myhost:~$ ssh myswitch

Welcome to myswitch

exit
Connection to myswitch closed.

user@myhost:~$ ansible -vvvv all -i myswitch, -c network_cli -m ios_facts -u user
ansible 2.5.1
config file = /etc/ansible/ansible.cfg
configured module search path = [u’/home/user/.ansible/plugins/modules’, u’/usr/share/ansible/plugins/modules’]
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
Parsed myswitch, inventory source with host_list plugin
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/minimal.pyc
META: ran handlers
attempting to start connection
using connection plugin network_cli
local domain socket does not exist, starting it
control socket path is /home/user/.ansible/pc/195cfb7ae7

The full traceback is:
Traceback (most recent call last):
File “/usr/bin/ansible-connection”, line 70, in start
self.connection._connect()
File “/usr/lib/python2.7/dist-packages/ansible/plugins/connection/network_cli.py”, line 290, in _connect
ssh = self.paramiko_conn._connect()
File “/usr/lib/python2.7/dist-packages/ansible/plugins/connection/paramiko_ssh.py”, line 240, in _connect
self.ssh = SSH_CONNECTION_CACHE[cache_key] = self._connect_uncached()
File “/usr/lib/python2.7/dist-packages/ansible/plugins/connection/paramiko_ssh.py”, line 346, in _connect_uncached
raise AnsibleConnectionFailure(msg)
AnsibleConnectionFailure: ssh user@myswitch:22 : Private key file is encrypted
To connect as a different user, use -u .

myswitch | FAILED! => {
“msg”: “ssh user@myswitch:22 : Private key file is encrypted\nTo connect as a different user, use -u .”
}

What am I doing wrong?

2

Ok Digging a little deeper with paramiko, and it seems to be an issue with connecting to cisco switches running IOS 15.0

DEB [20180424-12:23:00.783] thr=1 paramiko.transport: starting thread (client mode): 0xd6192f10L
DEB [20180424-12:23:00.784] thr=1 paramiko.transport: Local version/idstring: SSH-2.0-paramiko_2.4.1
DEB [20180424-12:23:00.785] thr=1 paramiko.transport: Remote version/idstring: SSH-2.0-Cisco-1.25
INF [20180424-12:23:00.785] thr=1 paramiko.transport: Connected (version 2.0, client Cisco-1.25)
DEB [20180424-12:23:00.787] thr=1 paramiko.transport: kex algos:[u’diffie-hellman-group-exchange-sha1’, u’d
iffie-hellman-group14-sha1’, u’diffie-hellman-group1-sha1’] server key:[u’ssh-rsa’] client encrypt:[u’aes128-
cbc’, u’3des-cbc’, u’aes192-cbc’, u’aes256-cbc’] server encrypt:[u’aes128-cbc’, u’3des-cbc’, u’aes192-cbc’, u
‘aes256-cbc’] client mac:[u’hmac-sha1’, u’hmac-sha1-96’, u’hmac-md5’, u’hmac-md5-96’] server mac:[u’hmac-sha1
‘, u’hmac-sha1-96’, u’hmac-md5’, u’hmac-md5-96’] client compress:[u’none’] server compress:[u’none’] client l
ang:[u’‘] server lang:[u’'] kex follows?False
DEB [20180424-12:23:00.788] thr=1 paramiko.transport: Kex agreed: diffie-hellman-group-exchange-sha1
DEB [20180424-12:23:00.788] thr=1 paramiko.transport: HostKey agreed: ssh-rsa
DEB [20180424-12:23:00.788] thr=1 paramiko.transport: Cipher agreed: aes128-cbc
DEB [20180424-12:23:00.788] thr=1 paramiko.transport: MAC agreed: hmac-sha1
DEB [20180424-12:23:00.788] thr=1 paramiko.transport: Compression agreed: none
DEB [20180424-12:23:00.992] thr=1 paramiko.transport: Got server p (2048 bits)
DEB [20180424-12:23:01.664] thr=1 paramiko.transport: kex engine KexGex specified hash_algo
DEB [20180424-12:23:01.665] thr=1 paramiko.transport: Switch to new keys …
DEB [20180424-12:23:01.680] thr=2 paramiko.transport: Trying SSH agent key 29fe8194987cdc75843df7b698ac0458
DEB [20180424-12:23:01.873] thr=1 paramiko.transport: userauth is OK
ERR [20180424-12:23:01.878] thr=1 paramiko.transport: Exception: Illegal info request from server
ERR [20180424-12:23:01.879] thr=1 paramiko.transport: Traceback (most recent call last):
ERR [20180424-12:23:01.879] thr=1 paramiko.transport: File “/usr/local/lib/python2.7/dist-packages/parami
ko/transport.py”, line 1949, in run
ERR [20180424-12:23:01.880] thr=1 paramiko.transport: handler(self.auth_handler, m)
ERR [20180424-12:23:01.880] thr=1 paramiko.transport: File “/usr/local/lib/python2.7/dist-packages/parami
ko/auth_handler.py”, line 622, in _parse_userauth_info_request
ERR [20180424-12:23:01.880] thr=1 paramiko.transport: raise SSHException(‘Illegal info request from ser
ver’)
ERR [20180424-12:23:01.880] thr=1 paramiko.transport: SSHException: Illegal info request from server
ERR [20180424-12:23:01.880] thr=1 paramiko.transport:

Tested against successfully against other cisco switches running IOS 15.2 and IOS-XE 3.6, 16.3