Getting "Permission denied (publickey)." when trying to clone Private Github repository, Public repo works

[Paul Hardwick]

Hello Ansiblers,

I am trying use ansible to bring in a Private GITHUB repository and am having issues and getting "Permission denied (publickey)." I've done some digging and checked the ideas I came across on the mailing list so far, but none of them have worked. 

- I've opened up the ports in the outbound firewall

- If I do a public repo it works fine, so its not an issue reaching GITHUB in general just the Private repositories.

- If I try to clone the Private repository manually on the destination server it works correctly

- GitHub ssh-key access test ( ssh -T g...@github.com ) works on box directly but fails under Ansible in a playbook using command.

So it would seem like the SSH key info isn't being passed along. BTW I've tried the github ssh-key test both with and without SUDO auth. And it fails either way. The SSH-key is the same for my SSH login and github.

I have included the log of the original failure and the github test for recognition of the users SSH-Key

Any clues of things I can check or what I might be doing wrong would be appreciated.

Thanks,

Paul

================ Start - from playbook output that fails ===

TASK: [git repo=g...@github.com:GitUserName/GitRepoName.git  dest=/usr/local/GitUserName/ansible-examples-ta4 version=HEAD  accept_hostkey=yes] ***
<111.222.333.444> REMOTE_MODULE git repo=g...@github.com:GitUserName/GitRepoName.git dest=/usr/local/GitUserName/ansible-examples-ta4 version=HEAD accept_hostkey=yes
failed: [bbb-sandbox-a-pub] => {"cmd": "/usr/bin/git ls-remote g...@github.com:GitUserName/GitRepoName.git -h refs/heads/HEAD", "failed": true, "rc": 128}
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
msg: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
FATAL: all hosts have already failed -- aborting

============== End - from playbook output that fails ===

================ Start - from Github SSH-key test that fails ===

TASK: [Execute command - check SSH-key access to GitHub] **********************
<111.222.333.444> ESTABLISH CONNECTION FOR USER: MyUbuntuUser
<111.222.333.444> REMOTE_MODULE command /usr/bin/ssh -T g...@github.com
<111.222.333.444> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/MyOSXuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=8023 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=MyUbuntuUser -o ConnectTimeout=10 111.222.333.444 /bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052 && echo $HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052'
<111.222.333.444> PUT /var/folders/jv/z2wn_pn52l76vtv84tsj2yf40000gx/T/tmpodUAD4 TO /home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/command
<111.222.333.444> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/Users/MyOSXuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=8023 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=MyUbuntuUser -o ConnectTimeout=10 111.222.333.444 /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/command; rm -rf /home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/ >/dev/null 2>&1'
failed: [bbb-sandbox-a-pub] => {"changed": true, "cmd": ["/usr/bin/ssh", "-T", "g...@github.com"], "delta": "0:00:00.113147", "end": "2015-01-16 22:01:21.784784", "rc": 255, "start": "2015-01-16 22:01:21.671637", "warnings": []}
stderr: Permission denied (publickey).
FATAL: all hosts have already failed -- aborting
PLAY RECAP ********************************************************************

====================== End - from Github SSH-key test that fails ===

======================= Start - ansible version info ===

$ ansible --version
ansible 1.8.2
  configured module search path = None

====================== End - ansible version info ===

[Paul Hardwick]

OK let me try this a different way. 

First let me verify that should work for Private repositories and not just Public ones.

Are there any special options that need/should be added to the master config file or as options when calling the containing Playbook?

Any ideas or even questions that might point me in the right direction appreciated.

[Toshio Kuratomi]

Private repositories should work. Here's a playbook I just ran to test:

---
- hosts: localhost
tasks:
- git:
repo: g...@github.com:ansible/****.git
accept_hostkey: True
dest: /var/tmp/private-checkout


From the sounds of it, I think you're right about the ssh key not
being used is the culprit. So my question would be how are you
setting things up so that ssh key is found and used by ansible? Are
you relying on ssh-agent forwarding or are you copying the private key
to the remote server beforehand? Is the key available to the correct
remote account user? etc.

-Toshio

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/29af652d-0bed-484b-a86d-2c63dfd4b482%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.

[Paul Hardwick]

Sorry for the extra long delay in responding but I didn't your reply come in and I had been doing the git pulls manually just to get past it. I have been revisiting the issue since we may be moving to AWS and I've been trying to setup some new playbook to cover everything.

I've been relying on agent forwarding, not actually copying over the private key.

Public still works. But Private is still giving me fits. My playbook is almost identical to the one you posted. Except I ran on the remote server and not localhost

- I verified that AgentForwarding is being used "EXEC ssh -C -tt -vvv -o ForwardAgent=yes -" is in the log

- If I do basically the exact same steps manually it works.(using same SSH keypair to login to the same server)

- "ssh -T g...@github.com" works natively on the server via SSH, but fails when run via playbook

  - name: Execute command - check SSH-key access to GitHub
    command: /usr/bin/ssh -T git@github.com

the output with server ID obscured

TASK: [Execute command - check SSH-key access to GitHub] **********************

failed: [ec2-00-00-00-00.us-xxxxx-2.compute.amazonaws.com] => {"changed": true, "cmd": ["/usr/bin/ssh", "-T", "g...@github.com"], "delta": "0:00:00.496378", "end": "2015-07-21 19:51:54.642785", "rc": 255, "start": "2015-07-21 19:51:54.146407", "warnings": []}

stderr: Permission denied (publickey).


FATAL: all hosts have already failed -- aborting

I am going to a Ubuntu14LTS server and running  Ver1.9.2 of ansible now, but and earlier version during my prior attempts

Any Solid clues appreciated. I'm still digging thru the other threads but nothing matches yet.

Paul

[Paul Hardwick]

Like I mentioned I've been digging like crazy. I think I just found my nice obscure cause for the problem from a post back in July 2014. It seems that having sudo:yes can cause problems with git module. I had this GIT call as part of a playbook that needed sudo for other actions so I had it on. When I turned it off all of a sudden my Test and the actual GIT pull both worked 

Yeah !!!    :-)

The thread with the hint:

https://groups.google.com/d/topic/ansible-project/FECW2fFTrKM/discussion

Thanks for the help 

Paul