Ansible with gpg-agent prompts for private key password constantly
502 views
Skip to first unread message
Mark Clarke
Apr 3, 2019, 5:26:53 PM4/3/19
to Ansible Project
Hi all,
We are using gpg-agent to provide ssh-agent functionality for the caching the private key passphrases. Some of the keys will be stored in the gpg keyring whilst some services such as ansible uses a standard ssh key. Our ansible scripts run without problems with the standard ssh-agent. When the $SSH_AUTH_SOCK variable is pointer to the gpg-agent ssh socket the script continually prompts for the pass phrase and it always comes back as invalid. Is this some config issue I need to sort out? "ssh-add -L" show keys from the gpg and standard ssh keys (ansible's one too) are cached so not sure why we getting the repeated prompts
Any ideas?.
cheers
Brian Coca
Apr 3, 2019, 5:32:17 PM4/3/19
to Ansible Project
Ansible does not deal with those, it executes an ssh command, use
-vvv to see exactly the ssh command Ansible runs and see if any of
those options need to be tweaked to allow for the gpg agent to
continue working.
--
----------
Brian Coca
-vvv to see exactly the ssh command Ansible runs and see if any of
those options need to be tweaked to allow for the gpg agent to
continue working.
--
----------
Brian Coca
Derek Murawsky
Apr 3, 2019, 5:41:54 PM4/3/19
to ansible...@googlegroups.com
What does your ~/.gnupg/gpg-agent.conf file?
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
It sounds almost like your auth socket isn't working properly. Meaning the agent is being restarted and is readding the key instead of using the key loaded in the agent once.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7fAUtZQ5xxXCUqmJxw063jNGTC9a-LkfRjmCzc%3DRc2L-Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Mark Clarke
Apr 4, 2019, 10:54:14 AM4/4/19
to Ansible Project
On Wednesday, 3 April 2019 23:41:54 UTC+2, Derek Murawsky wrote:
What does your ~/.gnupg/gpg-agent.conf file?
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.htmlIt sounds almost like your auth socket isn't working properly. Meaning the agent is being restarted and is readding the key instead of using the key loaded in the agent once.
Thanks for the reply. I agree with your assessment it has something to do with ansible not being able to reach the SSH_AUTH_SOCKET. I don't have a gpg-agent.conf file. I have read lots of tutorials that mention the file but on Ubuntu 18.04 the gpg installation does not appear to require it. The only thing I had to do after installation to get ssh to work with the private key in gpg was to run "export SSH_AUTH_SOCK="/run/user/1000/gnupg/S.gpg-agent.ssh". Maybe I need to change a config for ansible to point to the correct socket as it was using the normal ssh-agent before?
On Wed, Apr 3, 2019 at 5:32 PM Brian Coca <bc...@redhat.com> wrote:
Ansible does not deal with those, it executes an ssh command, use
-vvv to see exactly the ssh command Ansible runs and see if any of
those options need to be tweaked to allow for the gpg agent to
continue working.
--
----------
Brian Coca
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible...@googlegroups.com.
Derek Murawsky
Apr 4, 2019, 11:43:06 AM4/4/19
to ansible...@googlegroups.com
So, the way I've seen the gpg-agent work is that it needs config to enable ssh-agent compatibility. My config looks like:
default-cache-ttl 60
max-cache-ttl 120
enable-ssh-support
That last line is what enables the auth socket with full compatibility with the ssh-agent I think.
My bash_profile is:
# Load GPG agent
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
~/.gnupg/sshcontrol file has the auth key listed for autoloading. This wouldn't work if the key had a password, though.
Hope that helps.
-Derek
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e72fc6f6-84eb-40cd-b9ac-68536b0ed25c%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages