ssh-agent forwarding

[Neil Young]

Hi,

Trying since hours, can't make it work (although it worked already somewhen)..

OK.

Having a public ssh key, say ~/.ssh/id_rsa.pub. Configured it to Bitbucket. Able to checkout my project using public key authentication from bitbucket on my local machine.

Was going to try that on an ansible node using ssh-agent forwarding.

Running `ssh-add ~/.ssh/id_rsa` once. `ssh-add -l` shows

4096 SHA256:SpKY4tbbE7pkV5Ex3plKgu6X4nq6jtnM+Lss5Xk605A me@anywhere(RSA)

As said, the same key is configured to bitbucket.

My ./ansible.cfg:

[ssh_connection]

ssh_args=-o ForwardAgent=yes

The playbook:

---

- hosts: all

  tasks:

   - name: Clone

     git:

         repo: g...@bitbucket.org:blabla.git

         dest: documentation

Running it with:

ansible-playbook -l servers -i hosts.cfg test.yml -v

Always ends up like so:

TASK [Clone] **********************************************************************************************************************************************************************************

fatal: [ubuntuVM]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "msg": "Host key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Host key verification failed.\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stderr_lines": ["Host key verification failed.", "fatal: Could not read from remote repository.", "", "Please make sure you have the correct access rights", "and the repository exists."], "stdout": "", "stdout_lines": []}

I understand the error, but I don't understand the problem :)

[Matt Martz]

Are you using become?  If so, sudo by default will not pass the env var used for SSH_AUTH_SOCK.  

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9f6b7441-ab31-49a8-bf9e-b87f5ad930d8n%40googlegroups.com.

--

Matt Martz
@sivel
sivel.net

[Neil Young]

Oh, strange. Maybe I know why it works. I must have tried that earlier too.

On my node I tried to clone the project manually. Didn't work of course. But on the way I was asked to add the bitbucket identity to the known hosts on my node.

The authenticity of host 'bitbucket.org (104.192.141.1)' can't be established.

RSA key fingerprint is SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added 'bitbucket.org,104.192.141.1' (RSA) to the list of known hosts.

g...@bitbucket.org: Permission denied (publickey).

In the end the local clone didn't work, but after that step the above sequence worked from my control node... So I was able to clone the project from remote after having bitbucket as known host on the node... Makes sense?

[Neil Young]

No. become is not used

[Neil Young]

Interesting. I can achieve the same effect (it works from the outside) after having run

ssh -T g...@bitbucket.org

Seems, I would need to add bitbucket as known host somehow before the clone attempt...

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/known_hosts_module.html

[Neil Young]

Same result with 

ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts

on the remote node. 

I think in order to make ssh-agent forwarding work with ansible (at least with bitbucket) one has to make sure the node knows about the public key of bitbucket beforehand.

[Neil Young]

Finally this works for me:

---

- hosts: all

  tasks:

      - name: Make node aware of bitbucket's public SSH key

        known_hosts:

          name: 'bitbucket.org'

          key: 'bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw=='

          state: present

          path: '~/.ssh/known_hosts'

     

      - name: Clone

        git:

            repo: g...@bitbucket.org:blabla.git

            dest: documentation

Not sure if it is the way to go, but it works

[Joe Vellella]

Moving become out of the main play only into the specific ones I needed to solve my issue. Thanks 2 years later!