Accessing via SSH in Ansible

240 views
Skip to first unread message

Tom Hanson

unread,
Jun 2, 2016, 11:36:28 AM6/2/16
to Ansible Project
I am fairly new working with ansible and am operating some playbooks that were built by someone else who is gone. The current playbooks will set up a new server and work fine. It installs several standard packages and will change to all SSH logins , no root login. The first time I will put the   ansible_ssh_user=root ansible_ssh_pass= xxxxx   on the inventory line. After that root access no longer works. 

the problem is when I need to run a playbook to update the server. I get a failure that looks like this : 


*ipaddress*> ESTABLISH CONNECTION FOR USER: *myusername*
<*ipaddress*> REMOTE_MODULE setup
<*ipaddress*> EXEC sshpass -d7 ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/nnnn/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o PubkeyAuthentication=no -o ConnectTimeout=10 *ipaddress* /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && echo $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580'
fatal: [server] => SSH Error: Permission denied (publickey).
    while connecting to *ipaddress*:22

I then discovered a small group of servers that use a VPN and back end IP , and the same script ran OK - 


<*ipaddress*> ESTABLISH CONNECTION FOR USER: *myusername*
<*ipaddress*> REMOTE_MODULE setup
<*ipaddress*> EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/*myusername*/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 *ipaddress* /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602 && echo $HOME/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602'
<*ipaddress*> PUT /tmp/tmpzk8i1E TO /home/*myusername*/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602/setup
<*ipaddress*> EXEC ssh -C -tt -v -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/home/*myusername*/.ansible/cp/ansible-ssh-%h-%p-%r" -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 *ipaddress* /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=jreeatvlyrwzcjqqsmbdciudhpgwnrxp] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-jreeatvlyrwzcjqqsmbdciudhpgwnrxp; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/*myusername*/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602/setup; rm -rf /home/*myusername*/.ansible/tmp/ansible-tmp-1464814366.77-239302668766602/ >/dev/null 2>&1'"'"''
ok: [*servername*]


I am hoping there is a simple setting or other change that will allow these playbooks to run, thanks for the help. I put asterisks around some things for privacy / security *myusername* , etc. 

Johannes Kastl

unread,
Jun 2, 2016, 3:02:41 PM6/2/16
to ansible...@googlegroups.com
Hi there,

On 02.06.16 17:35 Tom Hanson wrote:

> I am fairly new working with ansible and am operating some playbooks that
> were built by someone else who is gone. The current playbooks will set up a
> new server and work fine. It installs several standard packages and will
> change to all SSH logins , no root login. The first time I will put the
> ansible_ssh_user=root ansible_ssh_pass= xxxxx on the inventory line.

Keeping that in a ansible-vault encrypted file is the better option,
but first things first.

> After that root access no longer works.

I guess your playbook changes the sshd's settings, right?

> the problem is when I need to run a playbook to update the server.

The same playbook run again? Or another playbook? Could you share the
parts of the playbook that show the errors?

> I get a
> failure that looks like this :
>
>
> *ipaddress*> ESTABLISH CONNECTION FOR USER: *myusername*
> <*ipaddress*> REMOTE_MODULE setup
> <*ipaddress*> EXEC sshpass -d7 ssh -C -tt -v -o ControlMaster=auto -o
> ControlPersist=60s -o
> ControlPath="/home/nnnn/.ansible/cp/ansible-ssh-%h-%p-%r" -o
> StrictHostKeyChecking=no -o GSSAPIAuthentication=no -o
> PubkeyAuthentication=no -o ConnectTimeout=10 *ipaddress* /bin/sh -c 'mkdir
> -p $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && chmod
> a+rx $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580 && echo
> $HOME/.ansible/tmp/ansible-tmp-1464038963.41-214242419831580'
> fatal: [server] => SSH Error: Permission denied (publickey).
> while connecting to *ipaddress*:22
>

Can you login as the destination user if you do it manually? Do you
have the right ssh keys on your machine?

Johannes

signature.asc

Tom Hanson

unread,
Jun 2, 2016, 4:05:36 PM6/2/16
to Ansible Project


####The same playbook run again? Or another playbook? Could you share the

parts of the playbook that show the errors?

different playbook - this is one to just update the hosts file,
   
ansible-playbook -vvv  update_hosts.yml -i inventory/inventory
file update_hosts.yml   
    ---
- hosts: *servername*
  sudo: yes
  roles:
    - hosts
Roles folder

hosts folder
default folder

file - main.yml
---
host_vars_etc_hosts: ""
group_vars_etc_hosts: ""

tasks folder
file main.yml
---
- name: configure /etc/hosts
  template:
    src: "hosts.j2"
    dest: "/etc/hosts"
    owner: root
    group: root
    mode: 0644
    backup: yes
templates folder
hosts.j2 file (the actual hosts file to be copied over)

####Can you login as the destination user if you do it manually? Do you

have the right ssh keys on your machine?
yes, My key works on the servers after they are configured

Thanks- 

Johannes Kastl

unread,
Jun 3, 2016, 3:13:03 AM6/3/16
to ansible...@googlegroups.com
On 02.06.16 22:05 Tom Hanson wrote:

[ maybe snip the fullquote the next time, makes mails very long...]

> yes, My key works on the servers after they are configured

My guess: Connecting as root the first time works, as you tell ansible
with which user it should connect. After that, ansible is missing this
info. And I guess the target username is not the one you have on your
controller.

What happens if you include the following into your update.yml:

vars:
ansible_user: foobar

And replace foobar with the user on the remote machine.

If that does not solve it, then maybe the VPN is the reason, and ssh
login is only allowed on some IPs or from some IPs. That would be a
task in the first ansible playbook, maybe have a look.

Johannes

signature.asc

Tom Hanson

unread,
Jun 3, 2016, 4:54:48 PM6/3/16
to Ansible Project
What happens if you include the following into your update.yml: 

vars: 
  ansible_user: foobar 

that seems to have done the trick, thanks for the help

Johannes Kastl

unread,
Jun 4, 2016, 5:15:53 AM6/4/16
to ansible...@googlegroups.com
On 03.06.16 22:54 Tom Hanson wrote:
> What happens if you include the following into your update.yml:
>
> vars:
> ansible_user: foobar
>
> that seems to have done the trick, thanks for the help

I guess when you tried to log into the machine manually, you specified
a user:
ssh user@machine
or
ssh user@ip-address

So your ssh-client knew as which user to connect. Ansible did not know
that. And you told it only in your first step with the
ansible_user=root part.

You might want to read up on ssh connections.
https://docs.ansible.com/ansible/intro_getting_started.html#remote-connection-information

Johannes

signature.asc
Reply all
Reply to author
Forward
0 new messages