Ansible authentication failure, despite successfull keybased ssh-login

2,252 views
Skip to first unread message

Joost Ringoot

unread,
May 23, 2014, 5:24:59 AM5/23/14
to ansible...@googlegroups.com
Hi,

When I try to connect to a host with ansible, it fails with the user jenkins.
Despite keybased sshlogin is succesfull.

[jenkins@geppetto ~]$ ssh jenkins@cal-25
Last login: Fri May 23 11:19:58 2014 from geppetto.oma.be
[jenkins@cal-25 ~]$ exit
logout
Connection to cal-25 closed.
[jenkins@geppetto ~]$ ansible cal-25 -m ping -u jenkins
cal-25 | FAILED => FAILED: Authentication failed.
[jenkins@geppetto ~]$

Any suggestions on troubleshooting this?

Thanks,

Joost

Serge van Ginderachter

unread,
May 23, 2014, 5:27:28 AM5/23/14
to ansible...@googlegroups.com

On 23 May 2014 11:24, Joost Ringoot <jrin...@gmail.com> wrote:
[jenkins@geppetto ~]$ ansible cal-25 -m ping -u jenkins

​Can you show the output of this, adding -vvvv ?​

Joost Ringoot

unread,
May 23, 2014, 5:29:23 AM5/23/14
to ansible...@googlegroups.com


Op vrijdag 23 mei 2014 11:27:28 UTC+2 schreef Serge van Ginderachter:

On 23 May 2014 11:24, Joost Ringoot <jrin...@gmail.com> wrote:
[jenkins@geppetto ~]$ ansible cal-25 -m ping -u jenkins

​Can you show the output of this, adding -vvvv ?​


 [jenkins@geppetto ~]$ ansible -vvv cal-25 -m ping -u jenkins
<cal-25> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO cal-25

cal-25 | FAILED => FAILED: Authentication failed.
[jenkins@geppetto ~]$

I tried with root and pass, that works:

[jenkins@geppetto ~]$ ansible cal-25 -m ping -u root --ask-pass
SSH password:
cal-25 | success >> {
    "changed": false,
    "ping": "pong"
}

[jenkins@geppetto ~]$

Joost Ringoot

unread,
May 23, 2014, 5:31:19 AM5/23/14
to ansible...@googlegroups.com

To be complete:

[jenkins@geppetto ~]$ ansible -vvv cal-25 -m ping -u root --ask-pass
SSH password:
<cal-25> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO cal-25
<cal-25> REMOTE_MODULE ping
<cal-25> EXEC /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1400837387.95-16436599027436 && echo $HOME/.ansible/tmp/ansible-tmp-1400837387.95-16436599027436'
<cal-25> PUT /tmp/tmp7uj9w8 TO /root/.ansible/tmp/ansible-tmp-1400837387.95-16436599027436/ping
<cal-25> EXEC /bin/sh -c 'LC_CTYPE=en_US.UTF-8 LANG=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1400837387.95-16436599027436/ping; rm -rf /root/.ansible/tmp/ansible-tmp-1400837387.95-16436599027436/ >/dev/null 2>&1'

cal-25 | success >> {
    "changed": false,
    "ping": "pong"
}
[jenkins@geppetto ~]$ ansible -vvv cal-25 -m ping -u jenkins
<cal-25> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO cal-25
cal-25 | FAILED => FAILED: Authentication failed.
[jenkins@geppetto ~]$
[jenkins@geppetto ~]$ ssh jenkins@cal-25
Last login: Fri May 23 11:24:01 2014 from geppetto.oma.be

[jenkins@cal-25 ~]$ exit
logout
Connection to cal-25 closed.
[jenkins@geppetto ~]$


[jenkins@geppetto ~]$


Message has been deleted

Joost Ringoot

unread,
May 23, 2014, 5:38:15 AM5/23/14
to ansible...@googlegroups.com
Ok I see now, ansible tries to login as root, despite passing a "-u jenkins"

Op vrijdag 23 mei 2014 11:31:19 UTC+2 schreef Joost Ringoot:

Joost Ringoot

unread,
May 23, 2014, 5:47:56 AM5/23/14
to ansible...@googlegroups.com
I explicitly defined remote_user as jenkins, it still wants to use root, any ideas?:




[jenkins@geppetto ~]$ cat ~/.ansible.cfg
[defaults]
log_path=/home/jenkins/.ansible/var/log/ansible.log
remote_user = jenkins
sudo_user = root

[jenkins@geppetto ~]$ ansible -vvv cal-25 -m ping -u jenkins
<cal-25> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO cal-25
cal-25 | FAILED => FAILED: Authentication failed.
[jenkins@geppetto ~]$ cat /home/jenkins/.ansible/var/log/ansible.log
2014-05-23 11:47:08,693 p=4285 u=jenkins |
2014-05-23 11:47:08,693 p=4285 u=jenkins | /opt/ansible/bin/ansible -vvv cal-25 -m ping -u jenkins
2014-05-23 11:47:08,694 p=4285 u=jenkins |
2014-05-23 11:47:08,755 p=4285 u=jenkins | <cal-25> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO cal-25
2014-05-23 11:47:09,048 p=4285 u=jenkins | cal-25 | FAILED => FAILED: Authentication failed.
[jenkins@geppetto ~]$




Vincent Van der Kussen

unread,
May 23, 2014, 5:50:31 AM5/23/14
to ansible...@googlegroups.com
What if you specify --ask-sudo-pass ?
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/27043463-dceb-4e21-9099-215f821d91c5%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

Joost Ringoot

unread,
May 23, 2014, 6:19:39 AM5/23/14
to ansible...@googlegroups.com
No difference:

[jenkins@geppetto ~]$ ansible -vvv cal-25 -m ping -u jenkins --ask-sudo-pass
sudo password:
<cal-25> ESTABLISH CONNECTION FOR USER: root on PORT 22 TO cal-25
cal-25 | FAILED => FAILED: Authentication failed.
[jenkins@geppetto ~]$


Local sudo actions work with user jenkins, I don't  think the problem is there.

[root@cal-25 ~]# grep SOFTWARE /etc/sudoers
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
jenkins ALL=(root) NOPASSWD: SOFTWARE
[root@cal-25 ~]# grep jenkins /etc/sudoers
#stuff for jenkins and ansible
jenkins ALL=(root) NOPASSWD: SOFTWARE
[root@cal-25 ~]#


Anyway thanks for looking into it Vincent and Serge


Op vrijdag 23 mei 2014 11:50:31 UTC+2 schreef Vincent Van der Kussen:

Vincent Van der Kussen

unread,
May 23, 2014, 6:21:30 AM5/23/14
to ansible...@googlegroups.com
Which version of Ansible is this?
> https://groups.google.com/d/msgid/ansible-project/007ee34c-b50d-49df-8734-327819ca4b70%40googlegroups.com.

Joost Ringoot

unread,
May 23, 2014, 6:23:00 AM5/23/14
to ansible...@googlegroups.com

[jenkins@geppetto ~]$ ansible --version
ansible 1.7 (devel d314f1b038) last updated 2014/05/07 15:38:39 (GMT +200)
[jenkins@geppetto ~]$



Op vrijdag 23 mei 2014 12:21:30 UTC+2 schreef Vincent Van der Kussen:

Vincent Van der Kussen

unread,
May 23, 2014, 6:26:22 AM5/23/14
to ansible...@googlegroups.com
What if you try with 1.6 ?
> https://groups.google.com/d/msgid/ansible-project/77f7074d-3aec-4040-983d-5e302b8fdbbb%40googlegroups.com.

Joost Ringoot

unread,
May 23, 2014, 6:26:27 AM5/23/14
to ansible...@googlegroups.com
Just tried again with latest clone from git:

[jenkins@geppetto ~]$ ansible --
version
ansible 1.7 (devel ee82681d14) last updated 2014/05/23 12:24:44 (GMT +200)

Joost Ringoot

unread,
May 23, 2014, 6:45:30 AM5/23/14
to ansible...@googlegroups.com

1.6  Where can I find that?  the version available in epel is 1.5.5 and on the site of ansible I only find ansible tower.

Matt Martz

unread,
May 23, 2014, 8:11:13 AM5/23/14
to ansible...@googlegroups.com
http://releases.ansible.com/ansible/

Also via pypi for installation with pip/easy_install


On Friday, May 23, 2014, Joost Ringoot <jrin...@gmail.com> wrote:

1.6  Where can I find that?  the version available in epel is 1.5.5 and on the site of ansible I only find ansible tower.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


--
Matt Martz
ma...@sivel.net
http://sivel.net/

Michael DeHaan

unread,
May 23, 2014, 8:43:23 AM5/23/14
to ansible...@googlegroups.com
I'd check to see if you had defined ansible_ssh_user in inventory somewhere.

If setting the user didn't work, I suspect we'd hear about it more, so I'm expecting this is something environmental.

(might you have something in your SSH config?)



To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v8U4J7JkRyGDM%2BceeiqstaOaP6iwt0faVx3iMLjtq0_4A%40mail.gmail.com.

Joost Ringoot

unread,
May 23, 2014, 2:44:40 PM5/23/14
to ansible...@googlegroups.com
Thanks michael,

ansible_ssh_user was set in the hosts file indeed.

Meanwhile I found also that inventory intentionally overrides commandline:
https://github.com/ansible/ansible/issues/4622

Op vrijdag 23 mei 2014 14:43:23 UTC+2 schreef Michael DeHaan:
I'd check to see if you had defined ansible_ssh_user in inventory somewhere.

If setting the user didn't work, I suspect we'd hear about it more, so I'm expecting this is something environmental.

(might you have something in your SSH config?)

On Fri, May 23, 2014 at 8:11 AM, Matt Martz <ma...@sivel.net> wrote:
Also via pypi for installation with pip/easy_install


On Friday, May 23, 2014, Joost Ringoot <jrin...@gmail.com> wrote:

1.6  Where can I find that?  the version available in epel is 1.5.5 and on the site of ansible I only find ansible tower.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages