Incorrect sudo password on HP-UX

[mark....@dsv.com]

    I have a group of old HP-UX servers that I need to manage with Ansible.  I started by installing python-2.7.13 on one server, then testing with a simple Ansible ping:

sinuid06-> ansible sinuid02 -m ping
sinuid02 | SUCCESS => {
    "changed": false,
    "ping": "pong"
}

    That went well.  Then I tried to do the same test but with sudo:

sinuid06-> ansible sinuid02 -bK -m ping
SUDO password:
sinuid02 | FAILED! => {
    "failed": true,
    "msg": "Incorrect sudo password"
}

    But sudo works when I log into the server and type the command:

sinuid02-> sudo -i
Password:

Value of TERM has been set to "putty".
WARNING:  YOU ARE SUPERUSER !!

    And Ansible works when I use the raw module with sudo:

sinuid06-> ansible sinuid02 -sK -m raw -a id
SUDO password:
sinuid02 | SUCCESS | rc=0 >>

uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

    But it fails with the shell or command modules:

sinuid06-> ansible sinuid02 -sK -m command -a id
SUDO password:
sinuid02 | FAILED | rc=0 >>
Incorrect sudo password

    I tried updating sudo on the target server, but that did not help:

sinuid02-> sudo --version
Sudo version 1.8.20p2
Sudoers policy plugin version 1.8.20p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.20p2

    So what is different about how the modules execute sudo on HP-UX and what can I do to correct it?

    -Mark

[Toshio Kuratomi]

Not sure the answer to your question but you can get some more information from ansible that may help.

Use -vvvvv as an option and you'll see a printout of what command lines ansible is trying to run over the ssh connection.

-Toshio

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ef1e111a-cf55-4b5b-9b86-2001b2acf264%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[mark....@dsv.com]

     -vvvv did not show anything that was helpful:

sinuid06-> ansible sinuid02 -sK -m ping -vvvv
Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None
<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=wjfyztinvbxyowftkcxbdswpcgknzxpc] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-wjfyztinvbxyowftkcxbdswpcgknzxpc; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''

sinuid02 | FAILED! => {
    "failed": true,
    "msg": "Incorrect sudo password"
}

    But what did make a difference was setting ANSIBLE_KEEP_REMOTE_FILES=1:

sinuid06-> ANSIBLE_KEEP_REMOTE_FILES=1 ansible sinuid02 -sK -m command -a id
SUDO password:

sinuid02 | SUCCESS | rc=0 >>
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

    So somehow forcing the remote system to save the module files made it work.  This is very puzzling.
    -Mark

[mark....@dsv.com]

    The debug output from when I ANSIBLE_KEEP_REMOTE_FILES=1 is significantly different from when I do not set that:

sinuid06-> ANSIBLE_KEEP_REMOTE_FILES=1 ansible sinuid02 -sK -m ping -vvvv

Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685 `" && echo ansible-tmp-1501605634.85-254507764792685="` echo $HOME/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685 `" ) && sleep 0'"'"''
<sinuid02> PUT /tmp/tmpTO4oao TO /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ping.py
<sinuid02> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r '[sinuid02]'

<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 '/bin/sh -c '"'"'chmod u+x /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ping.py && sleep 0'"'"''

<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r -tt sinuid02 '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=rfgzwshkypvukgrzrjwgjayzwslvshum] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-rfgzwshkypvukgrzrjwgjayzwslvshum; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python /home/pdxmft/.ansible/tmp/ansible-tmp-1501605634.85-254507764792685/ping.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''

sinuid02 | SUCCESS => {
    "changed": false,

    "invocation": {
        "module_args": {
            "data": null
        },
        "module_name": "ping"
    },
    "ping": "pong"
}

    Specifically, when I do not set the variable, I do not see a call to sftp to copy the ping.py file to the target server, but I do see that when I set the variable.  I do not know enough about how Ansible operates to know if that is significant or not.
    -Mark

[Adrian Likins]

Using ANSIBLE_KEEP_REMOTE_FILES also disables ssh 'pipelining', so I suspect just disabling pipelining may may also work.

See http://docs.ansible.com/ansible/latest/intro_configuration.html#pipelining

Try:


    $ ANSIBLE_SSH_PIPELINING=0 ansible -vvvvv sinuid02 -sK -m command -a id

And then:

   $ ANSIBLE_SSH_PIPELINING=1 ansible -vvvvv sinuid02 -sK -m command -a id

If ANSIBLE_SSH_PIPELINING=0 works and ANSIBLE_SSH_PIPELINING=1 fails, that narrows the problem down.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8277937d-1ea8-487d-ad33-bd0916b5ba52%40googlegroups.com.

[Mark Tovey]

    It worked exactly as you predicted, disabling pipelining resulted in success, enabling pipelining caused failure:

sinuid06->  ANSIBLE_SSH_PIPELINING=0 ansible sinuid02 -bK -m ping -vvvv

Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397 `" && echo ansible-tmp-1501685240.38-249800991666397="` echo $HOME/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397 `" ) && sleep 0'"'"''
<sinuid02> PUT /tmp/tmpSBgbKg TO /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ping.py

<sinuid02> SSH: EXEC sftp -b - -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r '[sinuid02]'
<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 '/bin/sh -c '"'"'chmod u+x /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ping.py && sleep 0'"'"''

<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r -tt sinuid02 '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=tlsiocbaqshesaoykfdbxhrvmgykhppm] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-tlsiocbaqshesaoykfdbxhrvmgykhppm; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python /home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/ping.py; rm -rf "/home/pdxmft/.ansible/tmp/ansible-tmp-1501685240.38-249800991666397/" > /dev/null 2>&1'"'"'"'"'"'"'"'"' && sleep 0'"'"''

sinuid02 | SUCCESS => {
    "changed": false,
    "invocation": {
        "module_args": {
            "data": null
        },
        "module_name": "ping"
    },
    "ping": "pong"
}

sinuid06->  ANSIBLE_SSH_PIPELINING=1 ansible sinuid02 -bK -m ping -vvvv

Using /InfraRepo/Ansible/config/ansible.cfg as config file
SUDO password:
Loading callback plugin minimal of type stdout, v2.0 from /usr/lib/python2.7/site-packages/ansible/plugins/callback/__init__.pyc
Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/system/ping.py
<sinuid02> ESTABLISH SSH CONNECTION FOR USER: None

<sinuid02> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=22 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/pdxmft/.ansible/cp/ansible-ssh-%h-%p-%r sinuid02 '/bin/sh -c '"'"'sudo -H -S  -p "[sudo via ansible, key=mqoctsbwdszgvkvzodlrvtvojlkrgpdo] password: " -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-mqoctsbwdszgvkvzodlrvtvojlkrgpdo; LANG=C LC_ALL=C LC_MESSAGES=C /usr/bin/python'"'"'"'"'"'"'"'"' && sleep 0'"'"''

sinuid02 | FAILED! => {
    "failed": true,
    "msg": "Incorrect sudo password"
}

    I tried ensuring that 'requiretty' was disabled in my sudoers file, but that did not change anything.  I guess as a work-around I can instruct everyone to disable pipelining when working with HP-UX, but that is going to be cumbersome and and point of constant error when someone forgets.
    -Mark

[Mark Tovey]

   I thought it might be the special characters in my password.  They sometimes do not pass properly in pipeline streams.
   I tried the following:

ssh -tt sinuid02 "echo 'my#password' | sudo -S id"
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

    That worked.  But this way failed:

echo 'my#password' | ssh -tt sinuid02 "sudo -S id"
Password: Sorry, try again.
Password:
sudo: 1 incorrect password attempt

    Then tried escaping the special characters:

echo 'my\#password' | ssh -tt sinuid02 "sudo -S id"
my\#password
Password:
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7(lp),20(users),103(hpvmsys)

    That led me to believe that indeed that is the problem.  But when I tried escaping special characters when entering my password or just removing special characters altogether from my password, Ansible still fails.  I even set sudoers to allow me to run commands with no password, and that still fails through Ansible unless I disable pipelining. 
    The bottom line is that there issues with the combination of pipelining and Ansible.
    -Mark