thoroughly stumped on ssh key issue; ansible not reading /root/.ssh/config? (missing something simple?).

Archives Ansible Project
1

Issue:
PAsswordless ssh works; ansible does not; comes back with AUTH failed. Almost looks like my /root/.ssh/config is not being read by ansible?

Workarounds:
setting key manually in /etc/ansible/ansible.cfg or using flag to specify key in command line both work

Kickstart/cobbler install with pre shared public key that is stored in rsa_compute_node and rsa_compute_node.pub on the mgmt node.

ie:

[root@mgmt2 ssh]# ls /root/.ssh/
authorized_keys id_rsa id_rsa_compute.pub id_rsa_mgmt.pub known_hosts
config id_rsa_compute id_rsa_mgmt id_rsa.pub
[root@mgmt2 ssh]#

Config file setup for certian hosts and using my custom ID file:

[root@mgmt2 ssh]# cat /root/.ssh/config
Host 192.168.*
StrictHostKeyChecking=no
IdentityFile ~/.ssh/id_rsa_compute

ssh works without password

[root@mgmt2 ~]# ssh 192.168.100.147
[root@u-eth ~]#

Ansible fails:

[root@mgmt2 ssh]# ansible compute -m ping
[WARNING]: The version of gmp you have installed has a known issue regarding
timing vulnerabilities when used with pycrypto. If possible, you should update
it (i.e. yum update gmp).

192.168.100.103 | FAILED => FAILED: Authentication failed.
192.168.100.105 | FAILED => FAILED: Authentication failed.
192.168.100.101 | FAILED => FAILED: Authentication failed.
192.168.100.104 | FAILED => FAILED: Authentication failed.
192.168.100.102 | FAILED => FAILED: Authentication failed.
192.168.100.107 | FAILED => FAILED: Authentication failed.
192.168.100.110 | FAILED => FAILED: Authentication failed.
192.168.100.106 | FAILED => FAILED: Authentication failed.
192.168.100.108 | FAILED => FAILED: Authentication failed.
192.168.100.109 | FAILED => FAILED: Authentication failed.
192.168.100.114 | FAILED => FAILED: Authentication failed.
192.168.100.113 | FAILED => FAILED: Authentication failed.
192.168.100.111 | FAILED => FAILED: Authentication failed.
192.168.100.112 | FAILED => FAILED: Authentication failed.
192.168.100.115 | FAILED => FAILED: Authentication failed.
192.168.100.120 | FAILED => FAILED: Authentication failed.
192.168.100.119 | FAILED => FAILED: Authentication failed.
192.168.100.117 | FAILED => FAILED: Authentication failed.
192.168.100.116 | FAILED => FAILED: Authentication failed.
192.168.100.118 | FAILED => FAILED: Authentication failed.
192.168.100.121 | FAILED => FAILED: Authentication failed.
192.168.100.123 | FAILED => FAILED: Authentication failed.
192.168.100.125 | FAILED => FAILED: Authentication failed.
192.168.100.122 | FAILED => FAILED: Authentication failed.
192.168.100.124 | FAILED => FAILED: Authentication failed.
192.168.100.126 | FAILED => FAILED: Authentication failed.
192.168.100.129 | FAILED => FAILED: Authentication failed.
192.168.100.128 | FAILED => FAILED: Authentication failed.
192.168.100.130 | FAILED => FAILED: Authentication failed.
192.168.100.127 | FAILED => FAILED: Authentication failed.
192.168.100.134 | FAILED => FAILED: Authentication failed.
192.168.100.131 | FAILED => FAILED: Authentication failed.
192.168.100.132 | FAILED => FAILED: Authentication failed.
192.168.100.135 | FAILED => FAILED: Authentication failed.
192.168.100.133 | FAILED => FAILED: Authentication failed.
192.168.100.137 | FAILED => FAILED: Authentication failed.
192.168.100.139 | FAILED => FAILED: Authentication failed.
192.168.100.138 | FAILED => FAILED: Authentication failed.
192.168.100.140 | FAILED => FAILED: Authentication failed.
192.168.100.136 | FAILED => FAILED: Authentication failed.
192.168.100.142 | FAILED => FAILED: Authentication failed.
192.168.100.143 | FAILED => FAILED: Authentication failed.
192.168.100.144 | FAILED => FAILED: Authentication failed.
192.168.100.145 | FAILED => FAILED: Authentication failed.
192.168.100.141 | FAILED => FAILED: Authentication failed.
192.168.100.146 | FAILED => FAILED: Authentication failed.
192.168.100.147 | FAILED => FAILED: Authentication failed.
192.168.100.148 | success >> {
“changed”: false,
“ping”: “pong”
}

The last node; i ran ssh-copy-id as a sanity test.

Version:

[root@mgmt2 ~]# rpm -qa | grep ans
dejavu-sans-fonts-2.30-2.el6.noarch
ansible-1.8.1-1.el6.noarch
[root@mgmt2 ~]#

[root@–eth .ssh]# service sshd stop; /usr/sbin/sshd -p 22 -D -d -e
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]=‘/usr/sbin/sshd’
debug1: rexec_argv[1]=‘-p’
debug1: rexec_argv[2]=‘22’
debug1: rexec_argv[3]=‘-D’
debug1: rexec_argv[4]=‘-d’
debug1: rexec_argv[5]=‘-e’
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_5.3p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.2 port 52557
debug1: Client protocol version 2.0; client software version paramiko_1.7.5
debug1: no match: paramiko_1.7.5
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: expecting SSH2_MSG_KEXDH_INIT
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 0 failures 0
debug1: PAM: initializing for “root”
debug1: PAM: setting PAM_RHOST to “192.168.1.2”
debug1: PAM: setting PAM_TTY to “ssh”
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 0/0 (e=0/0)
debug1: trying public key file /root/.ssh/authorized_keys2
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for root from 192.168.1.2 port 52557 ssh2
Connection closed by 192.168.1.2
debug1: do_cleanup
debug1: do_cleanup
debug1: PAM: cleanup
[root@urika-xa46-eth .ssh]# rm /root/.ssh/authorized_keys2
rm: remove regular file `/root/.ssh/authorized_keys2’? y
[root@–eth .ssh]#

LEt me know if you need anymore info,

Thanks!

-Jason

2

I could be wrong but Anisble may be using paramiko on your machine instead of the ssh command. You can verify by adding -vvvv

Additionally you can try forcing ssh by using “-c ssh”.

3

I am having a similar problem to Jason’s example. Using ansible version 1.8.4 installed via brew on OS X 10.10.2 machine, ansible is only able to access machines that have root ssh login enabled and only if I use the -k option in ansible. Using -k option, ansible logs in as root and works. If I try a different user using the -u option on ansible command line it is ignored. I tried the -c ssh suggestion of Matt, no difference for passwordless attempt, Ansible does ask for another program to be installed if you use the -c ssh -k , I did not go down this path, as entering a password is not my goal. The following playbook works and shows that remote user is root if I use -k option, playbook will fail with similar log to Jason’s above with no -k:

4

After a bit more reading and learning, I have found that using the ansible option:

ansible_ssh_user

is the way to select the ssh user in ansible. It can be placed in ansible’s hosts file, in a playbook or on the command line. In a playbook for example: