Help: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}

[Ramu Akula]

Hi Ansible Gurus,

 I'm trying to automate some of my manual tasks on a VM.

As part of that my VM doesn't have direct root access. 

So I've to use a different user and then escalate to root.

When I try to switch to root user, the password prompt is different than the default prompt.

The prompt I see is as shown below

==================

[user1@vm-1 tmp]$ su - root

Enter login password: 

=================

I wrote a playbook to test the connectivity. The play looks as below

=====================================

---

-

 hosts: vm-1

 any_errors_fatal: true

 become: true

 become_method: su

 become_user: root

 gather_facts: no

 vars:

  ansible_become_pass: "r00t"

 tasks:

  - name: Test me

    command: 'echo works'

=====================================

My host file looks as below

=====================================

localhost ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

vm-1 ansible_ssh_host=1.2.3.4 ansible_connection=ssh ansible_ssh_user=user1 ansible_ssh_pass=password ansible_ssh_extra_args='-o StrictHostKeyChecking=no'

=====================================

With this config, when I try to run the play, I'm getting below error

fatal: [vm-1]: FAILED! => {"msg": "Timeout (12s) waiting for privilege escalation prompt: "}

The same playbook works on a different VM but the prompt while trying to switch user to root is simply "Passowrd"

Appreciate your help on this.

Thanks in advance.

Ramu

[Patrick Hunt]

Ramu, 

I'm not sure how you are executing the playbook.  There are flags that are required to prompt for privilege escalation credentials.  The flag "--ask-become-pass" or "-K" will provide a prompt for entering the su password.

For example, when I run certain playbooks I run 

ansible-playbook path/to/some/playbook.yml -Kku username

This is 

-K : su password

-k : ssh password

-u : user to connect as

The privilege  escalation will not pick up the variable you have written into your playbook and use that to escalate.

I hope this helps clear this up some.

[Ramu]

Hi Patrick,

 Thanks for the kind response.

I'm passing the su password in my playbook itself using the vars

ansible_become_pass: "r00t"

And I tried the option of passing it using -K.

Thanks,

Ramu

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dc4fd998-2de2-41fa-820e-f49330c13397%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Patrick Hunt]

Ramu, 

Are you able to run the following ad-hoc ansible command (replacing "<username>" with the actual username)

ansible vm-1 -m ping -kKu <username> -b --become-method=su --become-user=root

This should prompt you for the SSH password and then the SU password.

You should get output similar to below:
 

vm-1 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

This is a simple way that I am able to check connections and privilege escalation.  If this succeeds we may need to look at how you launch the playbook, or perhaps a closer look at the playbook itself.

Let me know, Thanks!

[Ramu]

Hi Patrick,

 Once again thanks for the response.

I tried that and it failed with the same error.

Here is the output:

=========================

root@ubuntu:/var/tmp/# ansible vm-1 -m ping -kKu rdb -b --become-method=su --become-user=root    

SSH password: 

SU password[defaults to SSH password]: 

oam2 | FAILED! => {

    "msg": "Timeout (12s) waiting for privilege escalation prompt: "

}

root@ubuntu:/var/tmp/# 

=========================

regards,

Ramu

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/43b1350f-867a-4f64-9392-1a89c356e4a6%40googlegroups.com.

[Patrick Hunt]

Hmmm... 

Ok, so I'm getting stumped here.

Reading back on your original post; are you able to become the root user manually (not using ansible, but logging in via SSH with the user and then running su - root)?

You may need to correct permissions on the server before being able to escalate privileges with Ansible.  Is the user part of the wheel group?

Thanks, 

Patrick

[Ramu]

Hi Patrick,

 Yes. I'm able to login manually and become root.

Below is the output.

---------------------------

[user1@vm1 tmp]$ su - root

Enter login password: 

Last login: Tue Jul 31 19:05:02 UTC 2018 from 135.104.203.80 on ssh

[root@z5savcsdb5101vm002 ~]# 

---------------------------

As stated in my original post, when I try to su to root, the password prompt is as highlighted.

On other systems, I see it as "Password"

I'm wondering this could be the issue/bug in Ansible.

regards, Ramu

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ef9cf0ec-6318-4916-8388-18914f195f25%40googlegroups.com.

[Kai Stian Olstad]

On 31.07.2018 21:09, Ramu wrote:
> Hi Patrick,
> Yes. I'm able to login manually and become root.
> Below is the output.
>
> ---------------------------
> [user1@vm1 tmp]$ su - root
> Enter login password:
> Last login: Tue Jul 31 19:05:02 UTC 2018 from 135.104.203.80 on ssh
> [root@z5savcsdb5101vm002 ~]#

Here you are logged in as user1, but in this previous example you are
using the user rdb

root@ubuntu:/var/tmp/# ansible vm-1 -m ping -kKu rdb -b
--become-method=su --become-user=root
SSH password:
SU password[defaults to SSH password]:
oam2 | FAILED! => {
"msg": "Timeout (12s) waiting for privilege escalation prompt: "
}

Ref the "-u rdb" in the above command.


You would need to login with the same user, rdb, to check if you can do
su with that user.

If that works you need to add -vvvv to you ansible command so that
Ansible output connection information.

--
Kai Stian Olstad

[Ramu]

Kai,

 Yes. I logged in with correct user. But it's copy paste error.

Here is the verbose output.

<1.2.3.4> (0, 'ansible-tmp-1533072148.28-279979573550115=/home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115\n', 'OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 15640\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')

Using module file /usr/lib/python2.7/dist-packages/ansible/modules/system/ping.py

<1.2.3.4> PUT /root/.ansible/tmp/ansible-local-15625S_C9qw/tmpLOijTW TO /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py

<1.2.3.4> SSH: EXEC sshpass -d12 sftp -o BatchMode=no -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=rdb -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/de671cab3f '[1.2.3.4]'

<1.2.3.4> (0, 'sftp> put /root/.ansible/tmp/ansible-local-15625S_C9qw/tmpLOijTW /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py\n', 'OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 15640\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug2: Remote version: 3\r\ndebug2: Server supports extension "posix-...@openssh.com" revision 1\r\ndebug2: Server supports extension "sta...@openssh.com" revision 2\r\ndebug2: Server supports extension "fsta...@openssh.com" revision 2\r\ndebug2: Server supports extension "hard...@openssh.com" revision 1\r\ndebug2: Server supports extension "fs...@openssh.com" revision 1\r\ndebug3: Sent message fd 5 T:16 I:1\r\ndebug3: SSH_FXP_REALPATH . -> /home/rdb size 0\r\ndebug3: Looking up /root/.ansible/tmp/ansible-local-15625S_C9qw/tmpLOijTW\r\ndebug3: Sent message fd 5 T:17 I:2\r\ndebug3: Received stat reply T:101 I:2\r\ndebug1: Couldn\'t stat remote file: No such file or directory\r\ndebug3: Sent message SSH2_FXP_OPEN I:3 P:/home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py\r\ndebug3: Sent message SSH2_FXP_WRITE I:4 O:0 S:32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 4 32768 bytes at 0\r\ndebug3: Sent message SSH2_FXP_WRITE I:5 O:32768 S:32768\r\ndebug3: Sent message SSH2_FXP_WRITE I:6 O:65536 S:302\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 5 32768 bytes at 32768\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: In write loop, ack for 6 302 bytes at 65536\r\ndebug3: Sent message SSH2_FXP_CLOSE I:4\r\ndebug3: SSH2_FXP_STATUS 0\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')

<1.2.3.4> ESTABLISH SSH CONNECTION FOR USER: rdb

<1.2.3.4> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=rdb -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ControlPath=/root/.ansible/cp/de671cab3f 1.2.3.4 '/bin/sh -c '"'"'chmod u+x /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py && sleep 0'"'"''

<1.2.3.4> (0, '', 'OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g  1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 15640\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 0\r\n')

<1.2.3.4> ESTABLISH SSH CONNECTION FOR USER: rdb

<1.2.3.4> SSH: EXEC sshpass -d12 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o User=rdb -o ConnectTimeout=10 -o StrictHostKeyChecking=no -o ControlPath=/root/.ansible/cp/de671cab3f -tt 1.2.3.4 '/bin/sh -c '"'"'su  root -c '"'"'"'"'"'"'"'"'/bin/sh -c '"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-uoqicabaewvrilicfbsweoportlzqwse; /usr/bin/python /home/rdb/.ansible/tmp/ansible-tmp-1533072148.28-279979573550115/ping.py'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"'"''"'"'"'"'"'"'"'"' && sleep 0'"'"''

oam2 | FAILED! => {

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/94454ca0100f67271be7786d8bc57302%40olstad.com.

[Kai Stian Olstad]

On 31.07.2018 23:23, Ramu wrote:
> Kai,
> Yes. I logged in with correct user. But it's copy paste error.
>
> Here is the verbose output.

Unfortunately it didn't give any more information.

Sshpass just look for "assword:" do determine when it should provide the
password for ssh.
I thought that Ansible did that for su prompt as well, but I was wrong
after looking at source code.
It has support for a bunch of languages but the prompt need to be
"<some_word>'s password" or "password" for English and it's case
insensitive.

So your prompt "Enter login password:" will not work.
There is no way of configuring this, but patching Ansible to make it
work isn't hard, but then you would need to maintain your own Ansible
version.

--
Kai Stian Olstad

[Kai Stian Olstad]

On 01.08.2018 22:57, Kai Stian Olstad wrote:
> It has support for a bunch of languages but the prompt need to be
> "<some_word>'s password" or "password" for English and it's case
> insensitive.

Correction, the strings must be "<some_word>'s password: " or "password:
".

--
Kai Stian Olstad

[Badraj Angirekula]

Hi all I am facing error in aws please help.

[root@server2 ~]# ssh -i bhadra.pem ec2-...@ec2-50-112-6-190.us-west-2.compute.                                                                                                                                                             amazonaws.com

The authenticity of host 'ec2-50-112-6-190.us-west-2.compute.amazonaws.com (50.1                                                                                                                                                             12.6.190)' can't be established.
ECDSA key fingerprint is 1f:1b:6b:13:d2:7a:b5:a4:4b:78:84:b7:98:05:ab:39.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-50-112-6-190.us-west-2.compute.amazonaws.com,50.                                                                                                                                                             112.6.190' (ECDSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'bhadra.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: bhadra.pem
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Thanks & Regards,
BADRAJ ANGIREKULA

--
Kai Stian Olstad

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7ee310d428f93ca90e2ae787c4c1c8b7%40olstad.com.

[Ramu]

Thanks Kai.

 Yes, It looks the file " play_context.py" has hardcoded the prompt to contain something from the below list

# TODO: needs to be configurable

b_SU_PROMPT_LOCALIZATIONS = [

    to_bytes('Password'),

    to_bytes('암호'),

    to_bytes('パスワード'),

    to_bytes('Adgangskode'),

    to_bytes('Contraseña'),

    to_bytes('Contrasenya'),

    to_bytes('Hasło'),

    to_bytes('Heslo'),

    to_bytes('Jelszó'),

    to_bytes('Lösenord'),

    to_bytes('Mật khẩu'),

    to_bytes('Mot de passe'),

    to_bytes('Parola'),

    to_bytes('Parool'),

    to_bytes('Pasahitza'),

    to_bytes('Passord'),

    to_bytes('Passwort'),

    to_bytes('Salasana'),

    to_bytes('Sandi'),

    to_bytes('Senha'),

    to_bytes('Wachtwoord'),

    to_bytes('ססמה'),

    to_bytes('Лозинка'),

    to_bytes('Парола'),

    to_bytes('Пароль'),

    to_bytes('गुप्तशब्द'),

    to_bytes('शब्दकूट'),

    to_bytes('సంకేతపదము'),

    to_bytes('හස්පදය'),

    to_bytes('密码'),

    to_bytes('密碼'),

    to_bytes('口令'),

]

This leaves the flexibility of customization.

Rather the ansible should provide an option to specify the custom prompt messages. If we see there is a TODO note in the code.

May be we need to raise this as an issue to ansible team.

Thanks,

Ramu

On Thu, Aug 2, 2018 at 3:00 AM Durga Prasad <durgaprasad...@gmail.com> wrote:

Hi BADRAJ ANGIREKULA,

Please give permission for your key use below of commands :-

$ sudo chmod  0644  bhadra.pem

Thanks & Regards,

Durgaprasad 

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7ee310d428f93ca90e2ae787c4c1c8b7%40olstad.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0b283aae-bf92-4a74-b68c-307500a00b7e%40googlegroups.com.

[Ramu]

Hi Badra,

 To your question, the ssh key permission should be 600. In your case you set it as 644.

Please change it to 600 using : chmod 0600  bhadra.pem

And try running the play.

Also please change the subject. 

regards,

Ramu

On Thu, Aug 2, 2018 at 3:00 AM Durga Prasad <durgaprasad...@gmail.com> wrote:

Hi BADRAJ ANGIREKULA,

Please give permission for your key use below of commands :-

$ sudo chmod  0644  bhadra.pem

Thanks & Regards,

Durgaprasad 

On Thursday, August 2, 2018 at 1:24:51 PM UTC+5:30, Badraj Angirekula wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7ee310d428f93ca90e2ae787c4c1c8b7%40olstad.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0b283aae-bf92-4a74-b68c-307500a00b7e%40googlegroups.com.