Ansible ssh fails to connect to host via ssh. Permission denied - Raw ssh works

[Fabio Gomes Sakiyama]

Hello guys,

I'm trying to use the ansible_authorized keys to create VMs (with packer and terraform), adding my workspace key to VMs authorized keys.

I think it worked because if I execute ''ssh root@myVM", it connects without asking password.

But when I execute "ansible all -m ping -u root" to that same host, it fails with the error "sshh fails to connect to host via ssh. Permission denied".

I'm really confused and struggling to understand that, since a raw ssh works and the ansible ssh doesn't.

What am I missing??

Thanks in advance!

[chenchireddy guvvala]

You also add ssh_keys to the same host.

like below

#ssh-copy-id root@loclahost or ssh-copy-id ro...@127.0.0.1

Thanks

[Fabio Gomes Sakiyama]

Hi Chen,

AFAIK, ssh-copy-id does exactly what the ansible module 'authorized_keys' does, which is copy the desired ssh-key to the server authorized_keys.

If I'm correct, this step is already done, so the problem is something else :(

[chenchireddy guvvala]

Hi,

ssh-keygen creates the public and private keys. ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

Check host entry in /etc/host file

127.0.0.1 localhost

Check command# ansible localhost -m ping -vv

Thanks.

On Tuesday, October 9, 2018 at 6:52:49 AM UTC+5:30, Fabio Gomes Sakiyama wrote:

[Fabio Gomes Sakiyama]

Hi Chen,

I'm aware of ssh-key gen and ssh-copy-id. The ansible module "authorized_keys" does the ssh-copy-id for me, so I don't need to run it manually.

The ssh works because when I execute ''ssh root@myAddress", it works perfectly.

The problem is when doing exact the same thing, but with ansible.

[chenchireddy guvvala]

As I am aware Ansible always assumes jobs are running SSH keys either local system or remote system.

Thanks.

[Fabio Gomes Sakiyama]

Hi Chen,

I manage to solve the problem. I need to pass the public key of a different user. In addition, I changed the way to connect to the VMs, since I am using openstack, I configured ansible to use the keypair to connect.

Thanks

[Dave Cottlehuber]

On Tue, 9 Oct 2018, at 04:05, Fabio Gomes Sakiyama wrote:
> The problem is when doing exact the same thing, but with ansible.

Hi Fabio,

I see you found a solution, but this is what I'd recommend doing next time.

Add -vvv and read the resulting output carefully. You can splice the ssh command from Ansible back into the shell to work out what is missing or different to just running ssh@<foo> locally.

Usually this is because the username is different or you’re using a different ssh key than expected.

e.g.:
$ ansible-playbook site.yml --diff --check -vvv

Gathering Facts...
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<w...@i09.com> ESTABLISH SSH CONNECTION FOR USER: root
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=30 -tt i09.com 'which -s jailme'
<i09.koan-ci.com> ESTABLISH SSH CONNECTION FOR USER: ansible
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 i09.com '/bin/sh -c '"'"'/usr/local/bin/python2.7 && sleep 0'"'"''
<i09.com> (255, '', 'root@i09com: Permission denied (publickey).\r\n')
...

you can then try `ssh -F ./ssh_config -o ....` until you see what's missing. Check User= first.

I have some further settings in ansible.cfg and a per-customer ssh_config, in a git repo:

# ansible.cfg
[defaults]
inventory = ./hosts.ini
forks = 20
timeout = 30
poll_interval = 15
transport = ssh
retry_files_enabled = False
[ssh_connection]
ssh_args = -F ./ssh_config
pipelining = True

# ssh_config
Host *.i09.com www api beta couchdb cache rabbit vault
UseRoaming no
GSSAPIAuthentication no
KbdInteractiveAuthentication no
ServerAliveInterval 240
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
ControlPersist 30m
KexAlgorithms curve255...@libssh.org,diffie-hellman-group-exchange-sha256
SendEnv VAULT_TOKEN
port 2200
user ansible
ForwardAgent yes

[Arvind Thatikonda]

Hi Fabio,

can you please clarify how you managed to solve it. I created user ansible, the public keys ID_RSA.pub are stored under /home/ansible/.ssh folders. the ssh-copy-id should copy to target server - client when I run 

ssh-copy-id ansible@privateip. 

I create same user name 'ansible' on remote server. 

I get permission denied error.

[Fabio Gomes Sakiyama]

Hi Arvind,

It was pretty simple 'cause I was messing up the users.

Are you running your playbook with root? Which user you set on your hosts as ansible_user? Are you using become inside your playbooks?

Also, I stopped using ssh, instead I'm using openstack keypair.

And try Dave's suggestion, it's very useful:

Hi Fabio,

I see you found a solution, but this is what I'd recommend doing next time.

Add -vvv and read the resulting output carefully. You can splice the ssh command from Ansible back into the shell to work out what is missing or different to just running ssh@<foo> locally.

Usually this is because the username is different or you’re using a different ssh key than expected.

e.g.:
$ ansible-playbook site.yml --diff --check -vvv

Gathering Facts...
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<w...@i09.com> ESTABLISH SSH CONNECTION FOR USER: root
Using module file /usr/local/lib/python2.7/site-packages/ansible/modules/system/setup.py
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=30 -tt i09.com 'which -s jailme'
<i09.koan-ci.com> ESTABLISH SSH CONNECTION FOR USER: ansible
<i09.com> SSH: EXEC ssh -F ./ssh_config -o StrictHostKeyChecking=no -o Port=2200 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=30 i09.com '/bin/sh -c '"'"'/usr/local/bin/python2.7 && sleep 0'"'"''
<i09.com> (255, '', 'root@i09com: Permission denied (publickey).\r\n')  

And finally, if possible, post your playbook.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/zE6uQpLdlkE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20213015-3728-4271-b397-4b4142208a70%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Arvind Thatikonda]

Hi Fabio, 

I am not using the playbook for this particular task, I am creating an ansible control server and client. I am trying to connect from control server to client after generating the ssh keys. 

I used ssh-keygen on ubuntu server using ansible user.  I am setting a passwordless connection from the ansible control server /localhost to client.

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAA5vnFkBc8hNXKu00K3%2BEoscVW1nmQuqBy3tBTq9u4SrsU9UwQ%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Thanks & Regards,

Arvind;

[Fabio Gomes Sakiyama]

Sorry, couldnt look further. 

Could you provide any log of the permission denied you're getting?  

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAPiXTetW-b6vZBgcGWZWMtNRU-CEHwvBzgwLH_jXcJhsvmpxGw%40mail.gmail.com.