Configuring ssh passwordless access for a user

1,530 views
Skip to first unread message

tim.j....@gmail.com

unread,
Mar 25, 2014, 11:05:23 AM3/25/14
to ansible...@googlegroups.com

Hi There,

I'm attempting to configure ssh access to a user via ansible, as described in the blog entry at:
http://www.hashbangcode.com/blog/ansible-ssh-setup-playbook

I'm running this playbook using ansible version 1.4.5 on rhel 6.3.

My inventory hosts file looks like:

[hosts]
172.20.0.36 ansible_connection=ssh ansible_ssh_user=deployment ansible_ssh_pass=password

I have sshpass installed:


[ansible@rwc-host1 inventory]$ sudo yum list | grep sshpass
sshpass.x86_64                             1.05-1.el6                      @epel

My ansible.cfg file looks like this:


[ansible@rwc-host1 inventory]$ cat ansible.cfg
[defaults]
host_key_checking=False
[ansible@rwc-host1 inventory]$

I already have the user created on the remote server with sudo access, so all the playbook really needs to do is take the contents of id_rsa.pub and add it to the authorized_keys file for the remote user.


The user I'm connecting as is the same as the user who's authorized_keys file I want to create.

However, the user I'm running the playbook as on the ansible control machine is different.
For example, the control user is named 'ansible' and the remote user is named 'deployment'

The  playbook file is:

---

- name: configure authorized_keys
  hosts: hosts
  user: deployment
  sudo: yes

  roles:
    - setup


The task in my playbook is simply:


- name: add create authorized_keys file
  authorized_key: user=deployment key="{{ lookup('file', '~/.ssh/id_rsa.pub') }}"

But when I run the playbook I get the following error:


[ansible@rwc-host1 vm]$ ansible-playbook -i inventory/hosts setup.yml
PLAY [configure authorized_keys] **********************************************
GATHERING FACTS ***************************************************************
previous known host file not found
fatal: [172.20.0.36] => using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ansib
le_ssh_args in the config file) before running again
TASK: [setup | add create authorized_keys file] *******************************
FATAL: no hosts matched or all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
           to retry, use: --limit @/export/home/ansible/setup.retry
172.20.0.36                : ok=0    changed=0    unreachable=1    failed=0  
[ansible@rwc-host1 vm]$

So then I tried adding the below to my ansible.cfg file:


[ssh_connection]
ssh_args = ""

rerunning the playbook resulted in the same error:

[ansible@rwc-host1 vm]$ ansible-playbook  -i inventory/hosts setup.yml
PLAY [configure authorized_keys] **********************************************
GATHERING FACTS ***************************************************************
previous known host file not found
fatal: [172.20.0.36] => using -c ssh on certain older ssh versions may not support ControlPersist, set ANSIBLE_SSH_ARGS="" (or ansib
le_ssh_args in the config file) before running again
TASK: [setup | add create authorized_keys file] *******************************
FATAL: no hosts matched or all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
           to retry, use: --limit @/export/home/ansible/setup.retry
172.20.0.36                : ok=0    changed=0    unreachable=1    failed=0   

So, then I thought since ansible uses paramiko instead of openssl on rhel systems I added the below to my ansible.cfg file:

[paramiko_connection]
record_host_keys = False

But that made no difference either.

I then added the ANSIBLE_SSH_ARGS environment variable:

export ANSIBLE_SSH_ARGS=""

This resulted in a different error:


[ansible@rwc-host1 vm]$ ansible-playbook  -i inventory/hosts setup.yml
PLAY [configure authorized_keys] **********************************************
GATHERING FACTS ***************************************************************
previous known host file not found
fatal: [172.20.0.36] => Authentication or permission failure.  In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in "/tmp". Failed comm
and was: mkdir -p $HOME/.ansible/tmp/ansible-1395740233.19-20098518683931 && chmod a+rx $HOME/.ansible/tmp/ansible-1395740233.19-200
98518683931 && echo $HOME/.ansible/tmp/ansible-1395740233.19-20098518683931, exited with result 6
TASK: [setup | add create authorized_keys file] *******************************
FATAL: no hosts matched or all hosts have already failed -- aborting
PLAY RECAP ********************************************************************
           to retry, use: --limit @/export/home/ansible/setup.retry
172.20.0.36                : ok=0    changed=0    unreachable=1    failed=0   

I then set the remote_tmp  variable in the [defaults] section of my ansible.cfg file, but rerunning the playbook resulted in the same error.

Since setting the environment variable  ANSIBLE_SSH_ARGS seem to have more affect than  settings in the ansible.cfg file, it makes me wonder if ansible is taking any notice of my ansible.cfg file at all.  I'm not sure how this could happen since its in the same directory as my hosts file and that is read correctly.

Is this problem related to rhel  and the fact it uses paramiko instead of openssl?

Has people  any other thoughts as to why I can't seem to ssh to the user in question using my current configuration?

Many thanks,

Tim

Michael DeHaan

unread,
Mar 25, 2014, 3:25:03 PM3/25/14
to ansible...@googlegroups.com
Ansible does read ansible.cfg.

The error about not matching hosts is probably a thing about what groups and hosts you have defined vs your playbooks.




--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/6c36b207-c085-45ac-8343-de6d96f5f55c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

tim.j....@gmail.com

unread,
Mar 27, 2014, 6:25:06 AM3/27/14
to ansible...@googlegroups.com
Hi Michael,

My hosts file is simply:


[hosts]

172.20.0.36 ansible_connection=ssh ansible_ssh_user=deployment ansible_ssh_pass=password



and in the playbook I use:

- name: configure authorized_keys

hosts: hosts

user: deployment

sudo: yes


So not sure why there should be a problem in that instance?

However, my main issue is getting ssh working?

Thanks,

Tim

Michael DeHaan

unread,
Mar 27, 2014, 2:04:14 PM3/27/14
to ansible...@googlegroups.com
Your host file might need to be pathed with -i if it's in an unexpected location.




--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d9e6e6df-3b1e-4544-9e4b-42dcfaea49e3%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages