Encrypted SSH Key leads to Invalid format
340 views
Skip to first unread message
jer...@gmail.com
Oct 2, 2022, 7:15:34 AM10/2/22
to Ansible Project
I'm using in inventory/group_vars/all.yaml:
....
ansible_ssh_private_key_file: '{{inventory_dir}}/group_vars/path/to/key'
This Key is working well when it's plain text
When I encrypt the file with ansible-vault, i get the error:
Load key "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid format
root @ SOME_IP: Permission denied (publickey,password).
unreachable: true
root @ SOME_IP: Permission denied (publickey,password).
unreachable: true
I am using $ANSIBLE_VAULT_PASSWORD_FILE to decrypt everything without asking for password.
I have other encrypted secrets in all.yaml that get decrypted.
What am I missing ?
Thanks!
Evan Hisey
Oct 2, 2022, 2:02:37 PM10/2/22
to ansible...@googlegroups.com
Can you confirm the decrypted key is valid by direct ssh? Hard to tell for sure but that looks like the target host is rejecting the key format. Not all key formats are accepted by all targets. I have run in to this with Github and Tenable Scanners.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/04e26c27-8f12-44ef-a2f6-e6055144c7edn%40googlegroups.com.
Jeremie Levy
Oct 2, 2022, 2:04:47 PM10/2/22
to ansible...@googlegroups.com
Yes it works, and it works unencrypted.
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/FdbkNDJ7Ut0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEcFzYxBkDxsfFqb1gWz-CEriqn_Q_%3DO1zp_kKiYJX4SytOgKw%40mail.gmail.com.
Dan Linder
Oct 2, 2022, 4:02:50 PM10/2/22
to Ansible Project
Can you provide a minimal Ansible playbook with a vaulted variable file to see if we can recreate it or see anything amiss?
The error message you're showing states "root @ SOME_IP: Permission denied (publickey,password)" which doesn't seem to be ansible-vault related.
jer...@gmail.com
Oct 3, 2022, 4:41:01 AM10/3/22
to Ansible Project
Hmm, it seems it's not an ansible issue, when i decrypt the key and try it works. Then encrypting the key, it still works. After few minutes, it stop working...
From ansible on ubuntu 18.04 (python 3.6) to target 20.04
From ansible on ubuntu 18.04 (python 3.6) to target 20.04
#: ansible --version
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC
8.4.0]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
/home/user/.local/lib/python3.6/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.exceptions import InvalidSignature
ansible [core 2.11.12]
config file = /home/user/projects/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/.local/lib/python3.6/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/user/.local/bin/ansible
python version = 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC 8.4.0]
jinja version = 3.0.3
libyaml = True
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC
8.4.0]. This feature will be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
/home/user/.local/lib/python3.6/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.exceptions import InvalidSignature
ansible [core 2.11.12]
config file = /home/user/projects/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/.local/lib/python3.6/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/user/.local/bin/ansible
python version = 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC 8.4.0]
jinja version = 3.0.3
libyaml = True
Rowe, Walter P. (Fed)
Oct 3, 2022, 7:08:16 AM10/3/22
to ansible...@googlegroups.com
Is your version of ansible / ansible-vault support on Ubuntu 18.04?
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/533f9f4b-bde3-4347-9087-0f5cf4503c09n%40googlegroups.com.
Dick Visser
Oct 3, 2022, 7:53:21 AM10/3/22
to ansible...@googlegroups.com
This sounds like the key is cached by some agent. Investigate that.
--
Todd Lewis
Oct 3, 2022, 8:00:53 AM10/3/22
to Ansible Project
I don't think what you're doing is expected to work.
ansible_ssh_private_key_file is the path to a private key file used by ssh. That you happen to point it at a file in {{inventory_dir}}/group_vars doesn't somehow make ssh able to decrypt ansible-vault encrypted files.
Dick Visser
Oct 3, 2022, 8:11:14 AM10/3/22
to ansible...@googlegroups.com
On Mon, 3 Oct 2022 at 14:01, Todd Lewis <uto...@gmail.com> wrote:
>
> I don't think what you're doing is expected to work.
> ansible_ssh_private_key_file is the path to a private key file used by ssh. That you happen to point it at a file in {{inventory_dir}}/group_vars doesn't somehow make ssh able to decrypt ansible-vault encrypted files.
See also https://github.com/ansible/ansible/issues/22382
>
> I don't think what you're doing is expected to work.
> ansible_ssh_private_key_file is the path to a private key file used by ssh. That you happen to point it at a file in {{inventory_dir}}/group_vars doesn't somehow make ssh able to decrypt ansible-vault encrypted files.
jer...@gmail.com
Oct 18, 2022, 4:02:21 AM10/18/22
to Ansible Project
So what is the right approach to secure ssh private key ?
Dick Visser
Oct 18, 2022, 4:38:59 AM10/18/22
to ansible...@googlegroups.com
On Tue, 18 Oct 2022 at 10:02, jer...@gmail.com <jer...@gmail.com> wrote:
>
> So what is the right approach to secure ssh private key ?
That depends entirely on your situation and its security requirements.
>
> So what is the right approach to secure ssh private key ?
This can mean anything, from not encrypting anything, to fancy HSMs, etc.
In any case, it's not something specific to ansible I would say.
Dick
Reply all
Reply to author
Forward
0 new messages