ansible ping with specific user dont work

[iamlight...@gmail.com]

Hello All,

Just new to Ansible and trying to implement in our organozation. 

Noticed this, 

When ran ping from root user prompt by mentioning "delpoy" user , it errors out.

++++++++++++++++++++++++++++++++++

[root@dev-armor21 ~]# ansible all -m ping --user=delpoy

dev-mado21 | UNREACHABLE! => {

    "changed": false,

    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n",

    "unreachable": true

}

dev-pipe21 | UNREACHABLE! => {

    "changed": false,

    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n",

    "unreachable": true

}

dev-mado22 | UNREACHABLE! => {

    "changed": false,

    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n",

    "unreachable": true

}

localhost | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

++++++++++++++++++++++++++++++++++

But when switch to deploy user and run ansible ping , it works fine 

++++++++++++++++++++++++++++++++++

[root@dev-armor21 ~]# su - deploy

[deploy@dev-armor21 ~]$ ansible all  -m ping

localhost | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

dev-mado22 | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

dev-pipe21 | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

dev-mado21 | SUCCESS => {

    "changed": false,

    "ping": "pong"

}

[deploy@dev-armor21 ~]$

++++++++++++++++++++++++++++++++++

Is this expected or am I doing something wrong?

My objective is to run ansible command from root ( do not want to share root keys to all hosts ) and with specific users .

Can this be achieved?

Regards,

Prakash.

[Dick Visser]

Everything you want can be achieved.

But in general it’s not recommended nor needed to run ansible as root.

The reasoning behind your objective doesn’t seem to make much sense?

“I do not want to share root keys to all hosts” - this sounds like you think that you’re giving away secrets to remote hosts. 

That is not the case.

With SSH keys the user account doesn’t really matter on both sides - you can connect from and to a whatever user you want. 

You might want to read up on privilege escalation: http://docs.ansible.com/ansible/latest/become.html

Ideally you don’t ever use the root account  anywhere, just use sudo for actions that require it.

With ansible it’s the same amount of work.

Dick 

Regards,

Prakash.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b56274b5-a670-4a16-ba87-cc88e8436e50%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Dick Visser
GÉANT

Want to join us? We're hiring: https://www.geant.org/jobs

[iamlight...@gmail.com]

Thanks for your reply. Indeed , everything is achievable :) 

I think , I understand what I was trying ( or thinking ) .  My bad, got sorted. 

[Dick Visser]

On Mon, 13 Nov 2017 at 06:54, <iamlight...@gmail.com> wrote:

Thanks for your reply. Indeed , everything is achievable :) 

I think , I understand what I was trying ( or thinking ) .  My bad, got sorted. 

Good to hear.

Would you mind sharing how you got thing sorted? I.e. how you implemented it?

Thanks

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6a2ffe22-c4c9-4312-bbc3-9ce66502f8b0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[iamlight...@gmail.com]

I mean , my understanding is sorted ( thats what i think) 

This is what I understand:- 

You need to share the keys of the user from which you are running ansible adhoc command with  all the managed host .

So I have created a user account "deploy" and then shared ssh keys of this user to all managed hosts, and now i am able to get all green ping/pong.

[Madhavan M]

hello,

im new to ansible.

im trying to ping host machine but i got error,

UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

but im able to connect using ssh.