-K, --ask-sudo-pass deprecated but --become doesn't functioning properly?

[Bob Tanner]

This is related to #11808

Making the move from -K to --become and running into many problems. 

Since the first day of running the git devel branch I haven't had this many problems so I feel like the problems are "personal problems" :-) Given no one else is posting here this type of problem or opening similar issues on github I again feel like this is a "personal problem".

Many of my roles are like this:

roles:

  - { role: bootstrap, sudo: yes }

Side note, shouldn't this be something like:

  - { role: bootstrap, become: yes }

or

  - { role: bootstrap, become_method: sudo }

Many roles that work with -K fail with --become, like a simple hostname setup? It just hangs.

---

# file: vagrant.yml

- hosts: testing

  remote_user: ansible

  vars:

    hostname: testing

  roles:

    - { role: bootstrap, sudo: yes }

---

# tasks file for roles/bootstrap

- name: set hostname

  hostname: name={{ hostname }}

  tags: bootstrap

$ ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml --tags=bootstrap -vvvv --ask-become-pass

Using  as config file

SUDO password:

1 plays in ~/projects/ansible.git/playbooks/vagrant.yml

Loaded callback default of type stdout, v2.0

PLAY ****************************************************************************

TASK [setup] ********************************************************************

<10.x.x.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.x.x.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.x.x.193 mkdir -p "$HOME/.ansible/tmp/ansible-tmp-1438328068.73-174664883439743" && chmod a+rx "$HOME/.ansible/tmp/ansible-tmp-1438328068.73-174664883439743" && echo "$HOME/.ansible/tmp/ansible-tmp-1438328068.73-174664883439743"

<10.x.x.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.x.x.193> PUT /var/folders/d_/bm7rvz154jb_2djkqybb503h0000gp/T/tmpkAdhJA TO /home/ansible/.ansible/tmp/ansible-tmp-1438328068.73-174664883439743/setup

<10.x.x.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.x.x.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.x.x.193 LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438328068.73-174664883439743/setup; rm -rf "/home/ansible/.ansible/tmp/ansible-tmp-1438328068.73-174664883439743/" >/dev/null 2>&1

ok: [testing]

TASK [bootstrap : set hostname] *************************************************

<10.x.x.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.x.x.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.x.x.193 mkdir -p "$HOME/.ansible/tmp/ansible-tmp-1438328072.08-53721970381554" && chmod a+rx "$HOME/.ansible/tmp/ansible-tmp-1438328072.08-53721970381554" && echo "$HOME/.ansible/tmp/ansible-tmp-1438328072.08-53721970381554"

<10.x.x.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.x.x.193> PUT /var/folders/d_/bm7rvz154jb_2djkqybb503h0000gp/T/tmpUVfPkS TO /home/ansible/.ansible/tmp/ansible-tmp-1438328072.08-53721970381554/hostname

<10.x.x.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.x.x.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.x.x.193 /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=lvrohcyyqlshoqbznctyubsigsmdllvc] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-lvrohcyyqlshoqbznctyubsigsmdllvc; LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438328072.08-53721970381554/hostname; rm -rf "/home/ansible/.ansible/tmp/ansible-tmp-1438328072.08-53721970381554/" >/dev/null 2>&1'"'"''

[HANGS]

Yet, if I change the playbook to this (remove the sudo: yes) 

---

# file: vagrant.yml

- hosts: testing

  remote_user: ansible

  vars:

    hostname: testing

  roles:

    - { role: bootstrap }

Everything works as expected. 

It might just be me or might be how I specify my roles or maybe not many people are playing with --become stuff. 

Before I go and change all my playbooks to remove the "sudo: yes" I want to make sure I'm not just having a personal problem. 

And if this is not a personal problem can a warning or error be thrown if --become is True (command line or ansible.cfg) and roles have sudo: yes?

Thanks.

[Bob Tanner]

Guessing my debugging skills aren't very good.

  roles:

    - { role: bootstrap, become: yes }

Seems to resolve a lot of my problems. 

[Brian Coca]

responses inline

On Fri, Jul 31, 2015 at 3:54 AM, Bob Tanner <basicth...@gmail.com> wrote:
> This is related to #11808
>
> Making the move from -K to --become and running into many problems.

-K is --sudo-ask-pass, which is equivalent to --become-ask-pass, not --become
-s is --sudo which is equivalent to --become (and -S --su)

> roles:
> - { role: bootstrap, sudo: yes }
>
> Side note, shouldn't this be something like:
>
> - { role: bootstrap, become: yes }
>
> or
>
> - { role: bootstrap, become_method: sudo }

setting the method does not imply become=true, it just sets the
default for when become=true

>
> Many roles that work with -K fail with --become, like a simple hostname
> setup? It just hangs.

it hangs because you are not providing a password, which -K prompts
for but --become does not as per my first reply above.



--
Brian Coca

[Bob Tanner]

On Fri, Jul 31, 2015 at 3:54 AM, Bob Tanner <basicth...@gmail.com> wrote:
> This is related to #11808
>
> Making the move from -K to --become and running into many problems.

-K is --sudo-ask-pass, which is equivalent to --become-ask-pass, not --become
-s is --sudo which is equivalent to --become (and -S --su)

I used to invoke ansible like this:

$ ansible-playbook -i blah-inventory -K -k blah-playbook.yml 

and not I invoke it like this:

$ ansible-playbook -i blah-inventory --ask-become-pass --become -i blah-inventory

Correct?

IF that is the correct invocation then I'm back to the template module hanging (as documented in https://github.com/ansible/ansible/issues/11808). Another example. Different role using template module.

- name: apticron.conf

  template: >

    src={{ ansible_lsb.codename }}/apticron.conf.j2 

    dest=/etc/apticron/apticron.conf 

    owner=root 

    group=root 

    mode=0644

  tags: apticron

ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml --ask-become-pass --become -vvvv

Using ~/projects/ansible.git/playbooks/ansible.cfg as config file

SUDO password:

<snip>

TASK [apticron : apticron.conf] *************************************************

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 mkdir -p "$HOME/.ansible/tmp/ansible-tmp-1438366902.71-207412673011801" && chmod a+rx "$HOME/.ansible/tmp/ansible-tmp-1438366902.71-207412673011801" && echo "$HOME/.ansible/tmp/ansible-tmp-1438366902.71-207412673011801"

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=tcskruuzdkrswczrlhqwlrptvdtiikjs] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-tcskruuzdkrswczrlhqwlrptvdtiikjs; rc=flag; [ -r /etc/apticron/apticron.conf ] || rc=2; [ -f /etc/apticron/apticron.conf ] || rc=1; [ -d /etc/apticron/apticron.conf ] && rc=3; python -V 2>/dev/null || rc=4; [ x"$rc" != "xflag" ] && echo "${rc}  "/etc/apticron/apticron.conf && exit 0; (python -c '"'"'"'"'"'"'"'"'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();

afile = open("'"'"'"'"'"'"'"'"'/etc/apticron/apticron.conf'"'"'"'"'"'"'"'"'", "rb")

buf = afile.read(BLOCKSIZE)

while len(buf) > 0:

hasher.update(buf)

buf = afile.read(BLOCKSIZE)

afile.close()

print(hasher.hexdigest())'"'"'"'"'"'"'"'"' 2>/dev/null) || (python -c '"'"'"'"'"'"'"'"'import sha; BLOCKSIZE = 65536; hasher = sha.sha();

afile = open("'"'"'"'"'"'"'"'"'/etc/apticron/apticron.conf'"'"'"'"'"'"'"'"'", "rb")

buf = afile.read(BLOCKSIZE)

while len(buf) > 0:

hasher.update(buf)

buf = afile.read(BLOCKSIZE)

afile.close()

print(hasher.hexdigest())'"'"'"'"'"'"'"'"' 2>/dev/null) || (echo '"'"'"'"'"'"'"'"'0  '"'"'"'"'"'"'"'"'/etc/apticron/apticron.conf)'"'"''

HANGS

On the remote side the "sudo -H -S -p [sudo via ansible, key=tcskruuzdkrswczrlhqwlrptvdtiikjs] password:" is waiting on a read.

$ sudo strace -p 6283

[sudo] password for ansible:

Process 6283 attached

read(0,

On the control host the "ssh -C -tt -vvv -o ControlMaster=auto " is ... don't know what this is telling me. Little GoogleFu tells me we are waiting on a BSD system call to return but I have no idea what system API is being called.

$ sudo dtruss -p 14453

Password:

SYSCALL(args) = return

[Bob Tanner]

More (personal?) issues?

ANSIBLE_KEEP_REMOTE_FILES=1  and setup works as expected.

% ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml  -vvvv

Using ~/projects/ansible.git/playbooks/ansible.cfg as config file

1 plays in ~/projects/ansible.git/playbooks/vagrant.yml

Loaded callback default of type stdout, v2.0

PLAY ****************************************************************************

TASK [setup] ********************************************************************

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 mkdir -p "$HOME/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090" && chmod a+rx "$HOME/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090" && echo "$HOME/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090"

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> PUT /var/folders/d_/bm7rvz154jb_2djkqybb503h0000gp/T/tmpIuLWJX TO /home/ansible/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090/setup

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 LANG=C LC_MESSAGES=C LC_CTYPE=C /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438373803.07-183638808056090/setup

ok: [testing]

ANSIBLE_KEEP_REMOTE_FILES=1  with --become and --ask-become-pass and setup hangs

% ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook -i ~/projects/ansible.git/playbooks/vagrant-inventory ~/projects/ansible.git/playbooks/vagrant.yml --ask-become-pass --become  -vvvv

Using ~/projects/ansible.git/playbooks/ansible.cfg as config file

SUDO password:

 plays in ~/projects/ansible.git/playbooks/vagrant.yml

Loaded callback default of type stdout, v2.0

PLAY ****************************************************************************

TASK [setup] ********************************************************************

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 mkdir -p "$HOME/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852" && chmod a+rx "$HOME/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852" && echo "$HOME/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852"

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> PUT /var/folders/d_/bm7rvz154jb_2djkqybb503h0000gp/T/tmpfcw1XC TO /home/ansible/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852/setup

<10.X.X.193> ESTABLISH SSH CONNECTION FOR USER: ansible

<10.X.X.193> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=600s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=avmjfmpzrimdtudrpdcayejzjmvgahpj] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-avmjfmpzrimdtudrpdcayejzjmvgahpj; LANG=C LC_MESSAGES=C LC_CTYPE=C /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438374066.58-129658387415852/setup'"'"''

[Bob Tanner]

Breaking down the play. 

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=benehbanetqnytmmkklumnbvsiyukasg] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-benehbanetqnytmmkklumnbvsiyukasg; LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438377089.9-208037963158211/hostname'"'"''

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: auto-mux: Trying existing master

debug2: fd 3 setting O_NONBLOCK

debug2: mux_client_hello_exchange: master version 4

debug3: mux_client_forwards: request forwardings: 0 local, 0 remote

debug3: mux_client_request_session: entering

debug3: mux_client_request_alive: entering

debug3: mux_client_request_alive: done pid = 1474

debug3: mux_client_request_session: session request sent

debug1: mux_client_request_session: master session id: 12

usage: sudo -h | -K | -k | -V

usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]

usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]

            [command]

usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p

            prompt] [-u user] [VAR=value] [-i|-s] [<command>]

usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p

            prompt] [-u user] file ...

debug3: mux_client_read_packet: read header failed: Broken pipe

Odd, improper invocation of sudo? Break down of the sudo commands.

$ /bin/sh -c 'sudo -k && sudo -H -S -p "[sudo via ansible, key=benehbanetqnytmmkklumnbvsiyukasg] password: " -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-benehbanetqnytmmkklumnbvsiyukasg; LANG=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438377089.9-208037963158211/hostname'"'"''

[sudo via ansible, key=benehbanetqnytmmkklumnbvsiyukasg] password:

BECOME-SUCCESS-benehbanetqnytmmkklumnbvsiyukasg

{"changed": false, "name": "tester", "ansible_facts": {"ansible_hostname": "tester"}}

That seems to work. 

Test the ssh command.

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: auto-mux: Trying existing master

debug2: fd 3 setting O_NONBLOCK

debug2: mux_client_hello_exchange: master version 4

debug3: mux_client_forwards: request forwardings: 0 local, 0 remote

debug3: mux_client_request_session: entering

debug3: mux_client_request_alive: entering

debug3: mux_client_request_alive: done pid = 1474

debug3: mux_client_request_session: session request sent

debug1: mux_client_request_session: master session id: 12

Last login: Fri Jul 31 16:33:09 2015 from 172.X.X.100

ansible@tester:~$

That seems to work.

Test the first sudo command, /bin/sh -c 'sudo -k'

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c 'sudo -k'

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: auto-mux: Trying existing master

debug2: fd 3 setting O_NONBLOCK

debug2: mux_client_hello_exchange: master version 4

debug3: mux_client_forwards: request forwardings: 0 local, 0 remote

debug3: mux_client_request_session: entering

debug3: mux_client_request_alive: entering

debug3: mux_client_request_alive: done pid = 1474

debug3: mux_client_request_session: session request sent

debug1: mux_client_request_session: master session id: 12

usage: sudo -h | -K | -k | -V

usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]

usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]

            [command]

usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p

            prompt] [-u user] [VAR=value] [-i|-s] [<command>]

usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p

            prompt] [-u user] file ...

debug3: mux_client_read_packet: read header failed: Broken pipe

debug2: Received exit status from master 1

Not expected! Just over to the target system.

$ /bin/sh -c 'sudo -k'

$ echo $?

0

So something about executing /bin/sh -c 'sudo -k' via ssh is breaking thing?

[Bob Tanner]

Is it the sudo -k?

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 /bin/sh -c 'sudo -h'

<snip>

usage: sudo -h | -K | -k | -V

usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]

usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user]

            [command]

usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p

            prompt] [-u user] [VAR=value] [-i|-s] [<command>]

usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p

            prompt] [-u user] file ...

Nope.

Is it the /bin/sh -c?

 ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 sudo -h

<snip>

Options:

  -A, --askpass               use a helper program for password prompting

  -b, --background            run command in the background

  -C, --close-from=num        close all file descriptors >= num

  -E, --preserve-env          preserve user environment when running command

  -e, --edit                  edit files instead of running a command

  -g, --group=group           run command as the specified group name or ID

  -H, --set-home              set HOME variable to target user's home dir

  -h, --help                  display help message and exit

Yes!

What is ssh treating differently between /bin/sh -c 'sudo -k' vs sudo -k ?

[Bob Tanner]

I was able to get the ssh and sudo commands to work properly from the control host like this 

$ ssh -C -tt -vvv -o ControlMaster=auto -o ControlPersist=60s -o ControlPath="/tmp/ansible-ssh-%h-%p-%r" -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansible -o ConnectTimeout=10 10.X.X.193 '/bin/sh -c "sudo -k && sudo -H -S -p \"[sudo via ansible, key=oyhepruyffgwmikqvhscueppmxdhrrrs] password: \" -u root /bin/sh -c \"/usr/bin/python /home/ansible/.ansible/tmp/ansible-tmp-1438379820.92-121855719831019/hostname\""'

At least under Ubuntu 14.04 you need to quote the whole command passed via ssh.

I'll post this to the issue as well.