Privilege escalation by rsa key
109 views
Skip to first unread message
Evan Hisey
Aug 16, 2023, 4:32:21 PM8/16/23
to ansible...@googlegroups.com
So I have been doing some rsa-key based to factor authentication work recently, but have hit a stumbling block with Ansible. Has anyone ever done key based privilege escalation? Apparently just use the ssh connection option ForwardAgent=true is not quite the same as "ssh -A" when doing escalation.
For those not familiar with rsa key privilege escalation via sudo this is a good link: https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740
Before I get advice to just use passwordless sudo, that is something I am looking for a way to avoid as it generates a massive amount of paperwork in the federal FISMA high and med spaces that require MFA and expected MFA elevated privilege access.
Manually I am very successful with the RSA key
[user@localhost vagrant-kube]$ ssh -A 10.0.0.18
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10
[user@kube ~]$ sudo whoami
root
[user@kube ~]$ exit
logout
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10
[user@kube ~]$ sudo whoami
root
[user@kube ~]$ exit
logout
However Ansible is not making the same connections:
[user@localhost vagrant-kube]$ ansible-playbook mvp.yml
PLAY [all] ***********************************************************************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************************************
fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"}
PLAY RECAP ************************************************************************************************************************************************************
10.0.0.18 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
PLAY [all] ***********************************************************************************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************************************
fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"}
PLAY RECAP ************************************************************************************************************************************************************
10.0.0.18 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
I have tried several options, and assume it is going to end up being something in the SSH connection options to get this working beyond using "ForwardAgent=Yes"
Pierre TOURON
Aug 19, 2023, 1:32:39 PM8/19/23
to Ansible Project
Hi,
I haven't tested this myself, but this article mentions that you'd need to set ansible_become_pass var somewhere with a potential dummy value. Give it a try !
Evan Hisey
Aug 19, 2023, 9:38:46 PM8/19/23
to ansible...@googlegroups.com
Pierre-
That was the missing bit. This is definitely an issue in Ansible that probably needs to be addressed.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com.
jbor...@gmail.com
Aug 20, 2023, 6:34:59 AM8/20/23
to Ansible Project
You can control what arguments Ansible uses to invoke the ssh binary with. See ssh_extra_args [1] for ways to set extra arguments. You can run Ansible with -vvv and it will show you the full ssh command being run on each connection.
Evan Hisey
Aug 20, 2023, 10:19:26 AM8/20/23
to ansible...@googlegroups.com
Using ssh_extra_args does not solve the issue. There is already 2 other methods of ensuring the ssh side of the house work. The core issue turns out to be something of a known bug in ansible
, ansible wants a password if you are not using passwordless sudo. The article linked by Pierre discovered ot.
, ansible wants a password if you are not using passwordless sudo. The article linked by Pierre discovered ot.
This was easy to confirm by simple adding the "ansible_become_pass" with a garbage setting and it works, remove variable and it fails. Not sure if the ansible team is planning to address this or not.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com.
jbor...@gmail.com
Aug 20, 2023, 5:08:04 PM8/20/23
to Ansible Project
> ansible wants a password if you are not using passwordless sudo. The article linked by Pierre discovered ot.
Ansible only wants a password if it gets prompted by sudo for one, if there is no prompt there is no mandatory password. You can definitely use become sudo without a password normally and not have a password set.
Evan Hisey
Aug 20, 2023, 7:23:27 PM8/20/23
to ansible...@googlegroups.com
Not true. If you dint give it a password and use rsa sudo it still.asks for password. Follow the article Pierre linked and you can reproduce the issue, i am using ansible 2.14. The only change between working and not working is setting a dummy password. I started with using the ssh args which did not work.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2a218fb1-15be-4fcb-8a82-bd65eeecd2f5n%40googlegroups.com.
jbor...@gmail.com
Aug 20, 2023, 8:01:41 PM8/20/23
to Ansible Project
What I'm trying to say is that sudo is still writing the password is required message which then causes Ansible to say the password is required. If sudo doesn't write this line then Ansible won't say it needs a password ansible_become_pass.
Going backwards from the error we can see "Missing sudo password" is raised in the ssh connection plugin https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/connection/ssh.py#L1146-L1150 when the 'become_nopasswd_error' flag has been set.
The 'become_nopasswd_error' flag is set when the output line being processed is validated as missing through the become plugin's check_missing_password function https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/connection/ssh.py#L908-L910.
The become plugins check_missing_password function checks whether the processed line contains one of the known "missing password" responses https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/become/__init__.py#L104-L108.
These known "missing password" lines are "Sorry, a password is required to run sudo" or "sudo: a pasword is required" https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/become/sudo.py#L90.
So ultimately the reason why you are seeing this error is because sudo is writing one of those 2 responses to the stdout/stderr of the ssh process and the become plugin is flagging that as the password needs to be set. What should be investigated is why the sudo invocations done without the
password is causing sudo to display this error vs why it accepts a
dummy password. Also knowing why it's working for an interactive command outside of Ansible vs the non-interactive command being run by Ansible when there is no password.
If you run with '-vvv' you can see the exact commands Ansible is running for each task which will show both the ssh arguments as well as the sudo arguments being run on the ssh target. When you run with a set sudo password the '-p "[sudo via ansible, key=random] password:"' argument is going to be added to the sudo prompt but I cannot see any other changes. Playing around with these commands can give you a way to try and replicate how Ansible runs things outside of Ansible itself giving you more things to try yourself.
Brian Coca
Aug 21, 2023, 11:20:03 AM8/21/23
to ansible...@googlegroups.com
The Ansible engine does not really handle this directly, this is
mostly up to the sudo become plugin.
While the connection plugins are the ones listening to output, they
have hooks for the become plugins to match, in this case the output
from sudo (prompting for a password) is matched by the sudo become
plugin. Which when prompted, if it has a password, it passes it as
input, if not .. then raises an error that requires a password.
The default options we pass to sudo are -H -S -n (only the last 2
matter for this issue), while -S handles where sudo sends
output/expects input (stdin) the -n tells it not to prompt .. EXCEPT
if sudo itself determines the command needs a password. How does sudo
determine this? by using `NOPASSWORD` on the command, it then prompts
the user and sends the info to PAM for it to authenticate .. but PAM
in this case does not require the password, as it finds the ssh key to
be sufficient (but sudo has no idea about this) and that is how we get
to the current behavior.
So if you have this setup you have a few workarounds:
- Configure sudo to not attemp using passwords (passwd_tries = 0),
this might be an issue if this user tries to do any manual escalation
w/o sshing in.
- The already mentioned junk become password
- Modify/create a custom sudo become plugin to take a new option
(ignore_password_prompt=false|true) to avoid raising the error.
----------
Brian Coca
mostly up to the sudo become plugin.
While the connection plugins are the ones listening to output, they
have hooks for the become plugins to match, in this case the output
from sudo (prompting for a password) is matched by the sudo become
plugin. Which when prompted, if it has a password, it passes it as
input, if not .. then raises an error that requires a password.
The default options we pass to sudo are -H -S -n (only the last 2
matter for this issue), while -S handles where sudo sends
output/expects input (stdin) the -n tells it not to prompt .. EXCEPT
if sudo itself determines the command needs a password. How does sudo
determine this? by using `NOPASSWORD` on the command, it then prompts
the user and sends the info to PAM for it to authenticate .. but PAM
in this case does not require the password, as it finds the ssh key to
be sufficient (but sudo has no idea about this) and that is how we get
to the current behavior.
So if you have this setup you have a few workarounds:
- Configure sudo to not attemp using passwords (passwd_tries = 0),
this might be an issue if this user tries to do any manual escalation
w/o sshing in.
- The already mentioned junk become password
- Modify/create a custom sudo become plugin to take a new option
(ignore_password_prompt=false|true) to avoid raising the error.
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages