Ansible (Tower) with Duo Unix

[DasBill]

Hello, 

i already asked the support but they mean that 2FA is not supported yet.
I tried it with Ansible Tower and only with Ansible but no way to make it work.

In my test environment i used two Debian 8.3 server with Duo Unix (https://duo.com/docs/duounix#linux-distribution-packages)
I found that when i comment the line in /etc/ssh/sshd_config:
AuthenticationMethods publickey,keyboard-interactive
It works then, but it's necessary for Duo.

The output of Tower:

<192.168.1.22> ESTABLISH SSH CONNECTION FOR USER: ansible
<192.168.1.22> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=6448 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansibleupd -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_s7mKlq/cp/ansible-ssh-%h-%p-%r -tt 192.168.1.22 '/bin/sh -c '"'"'( umask 22 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1456663535.16-219210006639418 `" && echo "` echo $HOME/.ansible/tmp/ansible-tmp-1456663535.16-219210006639418 `" )'"'"''
fatal: [192.168.1.22]: UNREACHABLE! => {"changed": false, "msg": "SSH encountered an unknown error. The output was:\nOpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/tmp/ansible_tower_s7mKlq/cp/ansible-ssh-192.168.1.22-22-ansible\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to 192.168.1.22 [192.168.1.22] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 9979 ms remain after connect\r\ndebug1: identity file /var/lib/awx/.ssh/id_rsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_dsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ecdsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ed25519 type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u1\r\ndebug1: match: OpenSSH_6.7p1 Debian-5+deb8u1 pat OpenSSH* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: load_hostkeys: loading entries for host \"[192.168.1.22]:22\" from file \"/var/lib/awx/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed2551...@openssh.com,ssh-rsa-...@openssh.com,ssh-dss-...@openssh.com,ssh-rsa-...@openssh.com,ssh-dss-...@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: zl...@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: zl...@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: kex_parse_kexinit: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com\r\ndebug2: kex_parse_kexinit: umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-s...@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: kex_parse_kexinit: umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-s...@openssh.com,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: kex_parse_kexinit: none,zl...@openssh.com\r\ndebug2: kex_parse_kexinit: none,zl...@openssh.com\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: mac_setup: setup hmac-s...@openssh.com\r\ndebug1: kex: server->client aes128-ctr hmac-s...@openssh.com zl...@openssh.com\r\ndebug2: mac_setup: setup hmac-s...@openssh.com\r\ndebug1: kex: client->server aes128-ctr hmac-s...@openssh.com zl...@openssh.com\r\ndebug1: sending SSH2_MSG_KEX_ECDH_INIT\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: ECDSA bf:76:fe:be:e0:c7:93:96:2e:56:b6:91:72:8f:24:9b\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: load_hostkeys: loading entries for host \"[192.168.1.22]:22\" from file \"/var/lib/awx/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: load_hostkeys: loading entries for host \"[192.168.42.4]:6448\" from file \"/var/lib/awx/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug1: Host '[192.168.42.4]:6448' is known and matches the ECDSA host key.\r\ndebug1: Found key in /var/lib/awx/.ssh/known_hosts:13\r\ndebug1: ssh_ecdsa_verify: signature correct\r\ndebug2: kex_derive_keys\r\ndebug2: set_newkeys: mode 1\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug2: set_newkeys: mode 0\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug2: key: /tmp/ansible_tower_s7mKlq/credential (0x7f656db6aa60),\r\ndebug2: key: /var/lib/awx/.ssh/id_rsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_dsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: publickey\r\ndebug3: start over, passed a different list publickey\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Offering RSA public key: /tmp/ansible_tower_s7mKlq/credential\r\ndebug3: send_pubkey_test\r\ndebug2: we sent a publickey packet, wait for reply\r\ndebug1: Server accepts key: pkalg ssh-rsa blen 277\r\ndebug2: input_userauth_pk_ok: fp 5b:ae:81:a1:27:f1:c8:26:40:f5:9e:bc:d7:77:f9:ef\r\ndebug3: sign_and_send_pubkey: RSA 5b:ae:81:a1:27:f1:c8:26:40:f5:9e:bc:d7:77:f9:ef\r\nAuthenticated with partial success.\r\ndebug2: key: /tmp/ansible_tower_s7mKlq/credential (0x7f656db6aa30),\r\ndebug2: key: /var/lib/awx/.ssh/id_rsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_dsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: keyboard-interactive\r\ndebug3: start over, passed a different list keyboard-interactive\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug1: No more authentication methods to try.\r\nPermission denied (keyboard-interactive).\r\n", "unreachable": true}
        to retry, use: --limit @ansible_apt.retry

PLAY RECAP *********************************************************************
192.168.1.22               : ok=0    changed=0    unreachable=1    failed=0