Sudo (become) fails on Debian target, not on Fedora (using agent-based authentication)

I try to use Ansible to configure both Debian and Fedora machines.
On the Debian machines sudo fails (Incorrect sudo password), on Fedora it works.

tl;dr: Please help me understand how I should configure Ansible (or Debian) to use the ssh-agent to sudo.

My ansible configuration:

• ansible.cfg:

  [defaults]
  inventory = inventory/hosts
  transport = ssh
  [privilege_escalation]
  become = True
  become_method = sudo
  become_flags = -H -S -n
  

• inventory/group_vars/all.yml:

  ---
  ansible_user        : alex
  ansible_become_pass : 001
  

• inventory/host_vars/paulaner.yml, the Debian machine:

  ---
  ansible_host: paulaner.domain.tld
  

• inventory/host_vars/tarwe-smoothy.yml, the Fedora machine:

  ---
  ansible_host: tarwe-smoothy.domain.tld
  

My SSH and SUDO environment:

On my control machine I have an ssh agent running:

$ ssh-add -l
256 SHA256:2jvAF/7wJRH[...]1s cardno:13[...]3 (ED25519)

On the target machines I configured pam-ssh-agent-auth, slightly different:

$ ssh paulaner "sudo grep -E 'PRETTY|pam_ssh_agent_auth|SSH_AUTH' /etc/os-release /etc/sudoers /etc/pam.d/sudo"
/etc/os-release:PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
/etc/sudoers:Defaults env_keep += "SSH_AUTH_SOCK"
/etc/pam.d/sudo:auth	sufficient	pam_ssh_agent_auth.so file=~/.ssh/authorized_keys 
$ ssh tarwe-smoothy "sudo grep -E 'PRETTY|pam_ssh_agent_auth|SSH_AUTH' /etc/os-release /etc/sudoers /etc/pam.d/sudo"
/etc/os-release:PRETTY_NAME="Fedora Linux 41 (Workstation Edition)"
/etc/sudoers:Defaults    env_keep += "SSH_AUTH_SOCK"
/etc/pam.d/sudo:auth 	   sufficient   pam_ssh_agent_auth.so file=~/.ssh/authorized_keys

Tests to prove sudo ssh agent auth works:

$ ssh paulaner sudo whoami
root
$ ssh tarwe-smoothy sudo whoami
root

Ansible breaks, however:

A simple command to test if Ansible survives sudo:

$ ansible tarwe-smoothy -a "whoami" -b
tarwe-smoothy | CHANGED | rc=0 >>
root
$ ansible paulaner -a "whoami" -b
paulaner | FAILED | rc=-1 >>
Incorrect sudo password

When I analyse the commands (grep sudo to avoid spamming this forum too much):

$ ansible tarwe-smoothy -a "whoami" -b -vvvv|grep -E '^root|sudo'
<tarwe-smoothy.domain.tld> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="alex"' -o ConnectTimeout=10 -o 'ControlPath="/home/alex/.ansible/cp/b74a3a9938"' -tt tarwe-smoothy.domain.tld '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=oyzgtbtniavlkmnxxccfixtdivwyezxu] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-oyzgtbtniavlkmnxxccfixtdivwyezxu ; /usr/bin/python3 /home/alex/.ansible/tmp/ansible-tmp-1736460559.4496698-536563-145609235135932/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
root

$ ansible paulaner -a "whoami" -b -vvvv|grep -E '^root|sudo'
<paulaner.domain.tld> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="alex"' -o ConnectTimeout=10 -o 'ControlPath="/home/alex/.ansible/cp/939eb258d8"' -tt paulaner.domain.tld '/bin/sh -c '"'"'sudo -H -S -p "[sudo via ansible, key=likgvbfabyfclzfjajebizjrbmgzvqup] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-likgvbfabyfclzfjajebizjrbmgzvqup ; /usr/bin/python3 /home/alex/.ansible/tmp/ansible-tmp-1736460580.2422595-536742-252071113550340/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
Incorrect sudo password

I read this post: Missing sudo password when using agent-based authentication for sudo. The solution suggests to pass become_flags=--preserve-env=SSH_AUTH_SOCK to become_method=sudo, which I tried, to no avail.

I notice that, no mather what become_flags I configure, the -p (prompt) option is added to the sudo command. I don’t understand how/why Ansible want that option so bad.

it only gets added when a become password is present (by setting the become_pass option).

it only gets added when a become password is present (by setting the become_pass option).

Ah, thanks for that explanation. It prompted me to test a bit more, but I wasn’t able to find the solution:
I set the become_flags (following the advice in post #8092) and removed the ansible_become_pass line:

become_flags = --preserve-env=SSH_AUTH_SOCK -H

But then I get a Timeout error…:

$ ansible paulaner -a "whoami" -b -vvvv|grep -E '^root|sudo|^paulaner|^Timeout'
<paulaner.domain.tld> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="alex"' -o ConnectTimeout=10 -o 'ControlPath="/home/alex/.ansible/cp/939eb258d8"' -tt paulaner.domain.tld '/bin/sh -c '"'"'sudo --preserve-env=SSH_AUTH_SOCK -H  -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-ydvnmraslqzkfgkvmmuqcflyqzdojoxw ; /usr/bin/python3 /home/alex/.ansible/tmp/ansible-tmp-1736462095.5705867-543388-42958667183746/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
paulaner | FAILED | rc=-1 >>
Timeout (12s) waiting for privilege escalation prompt: 

So, somehow, when Ansible invokes sudo, on Debian, it fails to use the ssh agent.

yes, removing the password just prevents teh prompt from being issued, now you need to figure out why the socket is not being seen. I have had this working before and it always required playing sudoers env vars passing.