SSH uknown error issue

Archives Ansible Project
1

When I’m first setting up a vm, I need to set which user to use and the ssh and sudo passwords.

So, my host file looks something like:

[apache]
192.168.77.2 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant ansible_sudo_pass=vagrant
[mysql]
192.168.77.3 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant ansible_sudo_pass=vagrant

The initial setup includes configuring ssh to use sshkey auth, block password auth, and adds my ssh pub key to the vagrant user.

After that first run, my playbooks fail.

ansible-playbook -i provisioning/vagrant.ansible.hosts --sudo --limit=“192.168.77.3” provisioning/play.testowncloud.yml

PLAY [apache] *****************************************************************
skipping: no hosts matched

PLAY [mysql] ******************************************************************

GATHERING FACTS ***************************************************************
fatal: [192.168.77.3] => SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue

TASK: [aspects_mysql_server | include_vars {{ ansible_os_family }}.yml] *******
FATAL: no hosts matched or all hosts have already failed – aborting

PLAY RECAP ********************************************************************
to retry, use: --limit @/home/localuser/play.testowncloud.retry

192.168.77.3 : ok=0 changed=0 unreachable=1 failed=0

If I remove the ansible_ssh_pass variable from my hosts file, it starts working.

Why is that? Shouldn’t having the ansible_ssh_pass set not matter?

In case it’s useful, my /etc/ssh/sshd_config:

See the sshd_config(5) manpage for details on what options you can set.

Protocol 2
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
AcceptEnv LANG LC_*
HostKey /etc/ssh/ssh_host_rsa_key
Port 22
PubkeyAuthentication yes
ServerKeyBits 768
PrintMotd no
AllowUsers otherusers localuser vagrant
PrintLastLog yes
HostbasedAuthentication no
LoginGraceTime 120
SyslogFacility AUTH
X11DisplayOffset 10
IgnoreRhosts yes
PasswordAuthentication no
TCPKeepAlive yes
KeyRegenerationInterval 3600
UsePAM yes
LogLevel INFO
RhostsRSAAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
Subsystem sftp /usr/lib/openssh/sftp-server
X11Forwarding yes
RSAAuthentication yes
ChallengeResponseAuthentication no

Both desktop and vm are Ubuntu 14.04. Using ansible devel branch current as of a couple weeks ago.

2

If you have ansible_ssh_pass set, ansible explicitly sets “-o PubkeyAuthentication=no” which disables the use of SSH public key auth.

3

Is that documented? I don’t see it here: http://docs.ansible.com/intro_inventory.html#list-of-behavioral-inventory-parameters

Any explanations on why? It seems counter intuitive to me. I would think we’d always want to use pubkey auth, and only use password auth if pubkey isn’t available.

4

It is not specifically documented other than the code itself:

https://github.com/ansible/ansible/blob/d3c28fee8739c93821d4f639b2931f5a3592eb8e/lib/ansible/runner/connection_plugins/ssh.py#L90-L92

It was added in:

https://github.com/ansible/ansible/commit/d703f920775e8877b1fb9e2ae750a23bcc7e9534

Which dates the change back to v0.9

My recommendation is to not put ansible_ssh_pass in your inventory. Instead just specify it as an argument (-k) on the command line the first time you bootstrap a machine. That is what we do, and it seems to work out pretty well.

5

So, I just ran into this again. And it’s really really annoying. There are times when I’m configuring things that I need to use the ssh password. It’s far simpler just to set the password in the inventory/host_vars file and leave it there, than to have to set it, then remember to remove it once pubkey auth is working.

I also can’t think of why you would want to block pubkey authentication. Doesn’t ssh automatically fall back to password auth if pubkey fails? Pubkey auth is much more secure, and I would think it should be preferred over password auth in all cases, even if you’ve specified a password.

Or am I missing something?

In any case, is there an ansible.cfg option I could set that would stop Ansible from setting the “PubkeyAuthentication=no” flag?