"/bin/sh" isn\'t allowed to be executed
301 views
Skip to first unread message
Rod Oliver
Jul 12, 2017, 3:02:43 AM7/12/17
to Ansible Project
I'm trying to run commands against a remote host and even a simple ad hoc ping fails, with the error '"/bin/sh" isn\'t allowed to be executed'. The error message changes to '/bin/bash' when I add "executable = /bin/bash" in ansible.cfg. Adding the -b switch makes no difference. When looging in manually ssh with the same user/key combination works just fine. The system in question is SLES11 and runs Python 2.6.
Brian Coca
Jul 12, 2017, 12:21:13 PM7/12/17
to Ansible Project
It would help if you show the commands attempted and the full error,
even using -vvv to make the output verbose.
---------
Brian Coca
even using -vvv to make the output verbose.
---------
Brian Coca
Rod Oliver
Jul 12, 2017, 2:41:55 PM7/12/17
to ansible...@googlegroups.com
Hi Brian,
The command and output is below.
The thing that I find odd is that, to the best of my knowledge, ansible uses the ssh client config of user by default. The same user that runs ansible (root in this case) gets the correct username (not root) and SSH key from ~/.ssh/config and is able to log in the cost against which the ad hoc play is run. I'm wondering if there's something funny about this host.
root@WDFN34201151A:/mnt/c/Users/user/Documents/Projects/Ansible_Playbooks/Automation# ansible -vvv -m ping control
Using /mnt/c/Users/D069683/Documents/Projects/Ansible_Playbooks/Automation/ansible.cfg as config file
META: ran handlers
Using module file /root/.local/lib/python2.7/site-packages/ansible/modules/system/ping.py
<clts.rot.od.sap.biz> ESTABLISH SSH CONNECTION FOR USER: user
<clts.rot.od.sap.biz> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=user -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/7dd2444b86 clts '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<clts> (1, '', n\n"/bin/sh" isn\'t allowed to be executed.\n')
<clts> ESTABLISH SSH CONNECTION FOR USER: user
<clts> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=user -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/7dd2444b86 clts.rot.od.sap.biz '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `" && echo ansible-tmp-1499884456.62-175962548351199="` echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `" ) && sleep 0'"'"''
<clts> (1, '', '"/bin/sh" isn\'t allowed to be executed.\n')
clts | UNREACHABLE! => {
"changed": false,
"msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `\" && echo ansible-tmp-1499884456.62-175962548351199=\"` echo ~/.ansible/tmp/ansible-tmp-1499884456.62-175962548351199 `\" ), exited with result 1",
"unreachable": true
}
root@WDFN34201151A:/mnt/c/Users/user/Documents/Projects/Ansible_Playbooks/Automation#
Best regards
Rod
Cyclists of the World unite - you have nothing to lose but your chains!
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/tHfhe0kmmhE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7dtaQV71i2QxDNnUfR1q9JGsT%3DB78k3hhM7Q0DG6XaZrA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Rod Oliver
Jul 12, 2017, 3:44:25 PM7/12/17
to ansible...@googlegroups.com
I think I've figured out what is causing the issue. I don't know what to do solve the issue. Sudosh has been configured to only allow certain commands via remote shell. On a test system running more or less the same setup I can configure sudosh (/etc/sudosh.conf) to allow all commands. I don't want to do that on this machine as it would undermine security. I'd rather figure out what Ansible needs and request that. Any ideas what commands would need to be allowed to let Ansible do its thing?
Cyclists of the World unite - you have nothing to lose but your chains!
Brian Coca
Jul 12, 2017, 4:30:03 PM7/12/17
to Ansible Project
Ansible runs arbitrary code/commands (modules) so when using privilege
escalation it does not support restrictive setups, see docs
http://docs.ansible.com/ansible/become.html
----------
Brian Coca
escalation it does not support restrictive setups, see docs
http://docs.ansible.com/ansible/become.html
----------
Brian Coca
Reply all
Reply to author
Forward
0 new messages