ansible_ssh_pass parameter with salt encrypt value of ansible_user password makes client server Unreachable on playbook run

[Lorenzo Farinas]

I successfully created and tested some Ansible playbooks, that's when ansible_ssh_pass parameter value is the actual password of the ansible_user for the involved server specified in a group in the /etc/ansible/hosts file.  But when the ansible_ssh_pass parameter was replaced with its salt encrypt value for security reasons, the playbook run would fail with the server Unreachable.  Please advise.

[Dick Visser]

The ansible_ssh_pass parameter is meant to supply the plain text password only.
Anything else ("salt encrypt value" - whatever that may be) won't work.

If you're looking to improve security then move away from password
authentication and start using public key auth.

Dick



--
Dick Visser
GÉANT

Want to join us? We're hiring: https://www.geant.org/jobs

[Daniel JD]

Also check out Ansible- Vault for more security.

http://docs.ansible.com/ansible/latest/playbooks_vault.html

[Lorenzo Farinas]

Daniel,

This is the configuration I have for this server that belongs to the apacheservers group that worked, with the root password explicitly entered in the ansible_ssh_pass parameter.  

[apacheservers]
TestRHEL73tr1 ansible_host=XX.X.XX.XXX ansible_port=22 ansible_user=root ansible_ssh_pass=

I tried to use the vault by creating a .vault_pass file with its content ansible_ssh_pass=value of root password, and then ran ansible-playbook CreateTestfile.yml --vault-password-file /root/.vault_pass, but I got this following error message:

Attempted to read "/etc/ansible/hosts" as ini file: /etc/ansible/hosts:16: Expected key=value host variable assignment, got: ansible_ssh_pass

Please help on how to properly use the vault concept in securing ansible playbook run.

Thanks,

Lorenzo

[Lorenzo Farinas]

Dick, How can I start using public key auth on Ansible?  What's its procedure/process and the commands to use in running ansible-playbook when using it?  - Thanks, Lorenzo

[Lorenzo Farinas]

I also want to know if anyone can help on how to fix this problem as even though I put back the plain text password to the ansible_ssh_pass parameter, the playbook run would still fail with the server Unreachable on the server that had the parameter replaced with its salt encrypt value.

[Lorenzo Farinas]

I noticed that even now when I enter the plain text password on the ansible_ssh_pass parameter for the server in the /etc/ansible/hosts file, I would still get the same error message on playbook run when I attempted to use the vault.  Can someone help on how this can be resolved so at least I can run the playbook like before with the plain text password on ansible_ssh_pass parameter.

[Adrian Likins]

I tried to use the vault by creating a .vault_pass file with its content ansible_ssh_pass=value of root password, and then ran ansible-playbook CreateTestfile.yml --vault-password-file /root/.vault_pass, but I got this following error message:

Attempted to read "/etc/ansible/hosts" as ini file: /etc/ansible/hosts:16: Expected key=value host variable assignment, got: ansible_ssh_pass

To clarify some terms:

'vault password': A password used by vault to encrypt/decrypt content.

'passwords stored in vault':  A password for something like a user auth or ssh private keys, that is stored in a vault (encrypted with ansible-vault and a vault password)

--vault-password-file is for reading a 'vault password' from a file. ie, a password used by vault

 for decrypting/encrypting.

ansible_ssh_pass would need to be populated from a variable in a vault encrypted vars file (or inventory file) for that example.

But that is the wrong approach.

The right approach is:

    Use ssh keys and ssh-agent instead of trying to store the password in ansible.

A working key based ssh and ssh-agent setup is a prerequisite for practical ansible use.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/dced7a6e-9ef1-45dc-b56b-7cb010539770%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Lorenzo Farinas]

Please provide the procedure on how to add ssh-agent and ssh keys to the client with reference to Ansible control machine.  My research on this task is not productive.  - Thanks, Lorenzo

To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

[Dick Visser]

On 10 August 2017 at 21:19, Lorenzo Farinas <farinas...@gmail.com> wrote:
> Please provide the procedure on how to add ssh-agent and ssh keys to the
> client with reference to Ansible control machine. My research on this task
> is not productive. - Thanks, Lorenzo

Working with SSH keys and agents is considered a basic sysadmin skill
and and a prerequisite for ansible, so if this turns out to be
problematic then
it's a good idea to get familiar with this first.
This list isn't the right place for that, but the topic is thoroughly
documented on numerous places on the internet.

[Lorenzo Farinas]

I found a way to generate key pair using RSA on Ansible control machine, copied the public key to the client's /.ssh/authorized_keys.  When I run a playbook, it prompts me for the password I used to protect the private key.  I followed the SSH Agent Forwarding with Ansible notes by configuring the ssh_args parameter in the /etc/ansible/ansible.cfg file and the SSH_AUTH_SOCK Defaults parameter in the /etc/sudoers file of the client; but I'm still getting prompted with the password for private key on playbook run.  What's the procedure to make the playbook run passwordless?  - Thanks, Lorenzo

[Chris]

There's not much documentation on this procedure man.  I tried to set it up and failed.  However, I don't have a Cert server so I tried using a SSL cert.  Here are a couple of links I found that will give you some where to start.

https://github.com/ansible/ansible/issues/16243

http://www.hurryupandwait.io/blog/certificate-password-less-based-authentication-in-winrm

The directions are for a remote PS from Windows to Windows.  The Ansible side is easy most of the setup is on the Windows Host..