Permission Denied error

[aman kumar chagti]

when I try to run the playbook on a remote VM using password-based  authentication, I'm getting the following error:
fatal: [X.X.X.X]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: x...@X.X.X.X: Permission denied (publickey,password).", "unreachable": true}
user and password are present in the inventory file.
but when I try to connect to the VM manually by SSH and using that same password: I'm able to log it. Can anyone figure the solution?

[Komal Suthar]

Have you given privilege escalations try doing that.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/622ba01f-b89b-49f0-91e2-319f6daee852n%40googlegroups.com.

[Jean-Yves LENHOF]

If you want password authentication, you need sshpass on your ansible controller server. Did you install it ?

Regards,

JYL

[aman kumar chagti]

yes, sshpass is inistalled

[aman kumar chagti]

how to give privilege escalations?

On Thursday, September 2, 2021 at 6:18:49 PM UTC+5:30 aman kumar chagti wrote:

how to do that??

[aman kumar chagti]

@jyle if sshpass needs to be installed on target VM as well??

On Thursday, September 2, 2021 at 6:06:44 PM UTC+5:30 jyle...@gmail.com wrote:

[aman kumar chagti]

I've given privilege escalation in playbook i.e, become: yes

[Jean-Yves LENHOF]

Le 02/09/2021 à 14:53, aman kumar chagti a écrit :
> @jyle if sshpass needs to be installed on target VM as well??

Nope, only on server side

Regards,


JYL

[elmustapha htioui]

Hello,

From one side, when using become: yes, verify if the root password on the managed nodes is the same as the controller, otherwise use -k and specify the root managed node password. 

From another side, when using a dedicated user for ansible, verify if that user exist and is a sudoer on the managed nodes when using become_method: sudo.

Hope this helps !

--

[aman kumar chagti]

I tried these methods..same error coming up

[Jean-Yves LENHOF]

The ssh test you made is using the ansible controller server ?

Are you sure you are using the good ansible user on the target host ? (-u parameter for ansible-playbook)

Regards,

JY

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/72ef230c-8b8b-4ef8-a03a-3d897e356235n%40googlegroups.com.

[elmustapha htioui]

Which inventory file do you use ? And try to run the playbook with -vvvv for debugging purposes. If you can share the output of the debugging command would be great !

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9a6130dc-651f-4e6e-bf7e-7bd033bb3500n%40googlegroups.com.

[John Petro]

Are you able to ssh from the control node to the client as that user? If so, does it fail, or are you able to log in.  If you are able to log in, then you might have a problem with your ansible command syntax.    Personally, when I run a playbook, I have to specify the user ( -u ) and I also have to tell ansible-playbook to ask for the password (--ask-pass )

So, for me, an execution would look something like this:   ansible-playbook playbook.yml -u username --ask-pass 

Of course, I am just guessing at this right now, since I am not sure I have seen how you are calling the playbook, etc.   Adding the verbose options ( -vvvv ) would also be helpful in figuring out what is going on as well.

good luck!!

--John

--

[aman kumar chagti]

hi, I used -vvvv option, and I found something
.
SH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="seconize"' -o ConnectTimeout=10 -o ControlPath=/home/wyxadministrator/.ansible/cp/68474f4208 x.y.z.x '/bin/sh -c '"'"'echo ~hello && sleep 0'"'"''  

so, if you see, password-based authentication is disabled, some that's why it's giving error..how to enable it?? Idk..any idea?? folks

[Tej Singh Rana]

This link will be helpful to understand how to enable password based authentication. 

https://docs.bitnami.com/virtual-machine/faq/get-started/enable-ssh-password/

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/42259a18-ad69-4715-b28c-6b6c04f48228n%40googlegroups.com.

--

Regards,

Tej Singh Rana

[elmustapha htioui]

Verify if PasswordAuthentication is set to yes in the /etc/ssh/sshd_config and restart the sshd service on the managed node.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/42259a18-ad69-4715-b28c-6b6c04f48228n%40googlegroups.com.

[aman kumar chagti]

on the target server or on controller server??

[aman kumar chagti]

 PasswordAuthentication: is set to yes.. on both target and controller servers. FYI

[aman kumar chagti]

I'm manually able to log in to target VM by password...but no thru ansible..even I tried to use the private key as well..but still the same issue coming up...

[elmustapha htioui]

OK for what you are saying.

Please check again if the ansible user on the target node is a sudoer user as i suppose your playbook has tasks to be run in a privileged mode.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/867e2a85-b7a1-4240-9d62-28ef67e1f863n%40googlegroups.com.

[Jean-Yves LENHOF]

Hi,

Look at your /etc/ansible.cfg $HOME/.ansible.cfg in your home or your inventories files, you probably surcharge ansible_ssh_common_args somewhere !

Regards,

[aman kumar chagti]

yes, it's a sudoer user

[aman kumar chagti]

this is my inventory file:

X.X.X.X ansible_user=abc ansible_ssh_pass=xyz ansible_ssh_common_args='-o StrictHostKeyChecking=no' ansible_ssh_private_key_file=/home/dfc/.ssh/qmx/idk 

[Antony Stone]

On Friday 03 September 2021 at 16:55:46, aman kumar chagti wrote:

> this is my inventory file:
>
> X.X.X.X ansible_user=abc ansible_ssh_pass=xyz ansible_ssh_common_args='-o
> StrictHostKeyChecking=no'
> ansible_ssh_private_key_file=/home/dfc/.ssh/qmx/idk

What are the ownership and permissions on that file?

Make sure it's clear in your answer whether this means "user abc" or not.

Antony.

--
I don't know, maybe if we all waited then cosmic rays would write all our
software for us. Of course it might take a while.

- Ron Minnich, Los Alamos National Laboratory

Please reply to the list;
please *don't* CC me.

[aman kumar chagti]

-rw-r--r-- are permissions on file. nd ownership is root

[Antony Stone]

On Thursday 02 September 2021 at 13:55:09, aman kumar chagti wrote:

> when I try to run the playbook on a remote VM using password-based
> authentication, I'm getting the following error

Which user are you running the playbook as, on the machine running ansible?


Antony.

--
Police have found a cartoonist dead in his house. They say that details are
currently sketchy.

[Antony Stone]

On Friday 03 September 2021 at 07:31:14, aman kumar chagti wrote:

> After -vvvv option, this coming up. any idea, what's going on??

I know the output below is terribly formatted for reading, but if you do look
through it, you can see that everywhere it is trying to fetch a public key, it
is looking in /root/.ssh, and yet you say that your key is in
/home/dfc/.ssh/qmx/idk

Nowhere in the output below is the string "dfc".

I suspect that is the cause of the problem.

> "msg": "Failed to connect to the host via ssh: OpenSSH_7.6p1
> Ubuntu-4ubuntu0.5, OpenSSL 1.0.2n 7 Dec 2017\r\ndebug1: Reading
> configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line
> 19: Applying options for *\r\ndebug1: auto-mux: Trying existing
> master\r\ndebug1: Control socket
> \"/home/xyzadministrator/.ansible/cp/68474f4208\" does not exist\r\ndebug2:
> resolving \"X.X.X.X\" port 22\r\ndebug2: ssh_connect_direct: needpriv
> 0\r\ndebug1: Connecting to X.X.X.X [X.X.X.X] port 22.\r\ndebug2: fd 3
> setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1:
> Connection established.\r\ndebug3: timeout: 9992 ms remain after
> connect\r\ndebug1: permanently_set_uid: 0/0\r\ndebug1: key_load_public: No
> such file or directory\r\ndebug1: identity file /root/.ssh/id_rsa type
> -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1:
> identity file /root/.ssh/id_rsa-cert type -1\r\ndebug1: key_load_public: No
> such file or directory\r\ndebug1: identity file /root/.ssh/id_dsa type
> -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1:
> identity file /root/.ssh/id_dsa-cert type -1\r\ndebug1: key_load_public: No
> such file or directory\r\ndebug1: identity file /root/.ssh/id_ecdsa type
> -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1:
> identity file /root/.ssh/id_ecdsa-cert type -1\r\ndebug1: key_load_public:
> No such file or directory\r\ndebug1: identity file /root/.ssh/id_ed25519
> type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1:
> identity file /root/.ssh/id_ed25519-cert type -1\r\ndebug1: Local version
> string SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5\r\ndebug1: Remote protocol
> version 2.0, remote software version OpenSSH_7.6p1
> Ubuntu-4ubuntu0.5\r\ndebug1: match: OpenSSH_7.6p1 Ubuntu-4ubuntu0.5 pat
> OpenSSH* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1:
> Authenticating to X.X.X.X:22 as 'xyz'\r\ndebug3: hostkeys_foreach: reading
> file \"/root/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type
> ECDSA in file /root/.ssh/known_hosts:4\r\ndebug3: load_hostkeys: loaded 1
> keys from X.X.X.X\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs:
> ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp384-cert-v01@opens
> sh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp256,ecdsa-s
> ha2-nistp384,ecdsa-sha2-nistp521\r\ndebug3: send packet: type 20\r\ndebug1:
> SSH2_MSG_KEXINIT sent\r\ndebug3: receive packet: type 20\r\ndebug1:
> SSH2_MSG_KEXINIT received\r\ndebug2: local client KEXINIT
> proposal\r\ndebug2: KEX algorithms:
> curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2
> -nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-he
> llman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exc
> hange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-in
> fo-c\r\ndebug2: host key algorithms:
> ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp384-cert-v01@opens
> sh.com,ecdsa-sha2-nis...@openssh.com,ecdsa-sha2-nistp256,ecdsa-s
> ha2-nistp384,ecdsa-sha2-nistp521,ssh-ed2551...@openssh.com,ssh-rsa-c
> ert...@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa\r\ndebug2
> : ciphers ctos:
> chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o
> penssh.com,aes25...@openssh.com\r\ndebug2: ciphers stoc:
> chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o
> penssh.com,aes25...@openssh.com\r\ndebug2: MACs ctos:
> umac-...@openssh.com,umac-1...@openssh.com,hmac-sha2-256-etm@openssh.
> com,hmac-sha...@openssh.com,hmac-s...@openssh.com,umac-64@openssh
> .com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2:
> MACs stoc:
> umac-...@openssh.com,umac-1...@openssh.com,hmac-sha2-256-etm@openssh.
> com,hmac-sha...@openssh.com,hmac-s...@openssh.com,umac-64@openssh
> .com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2:
> compression ctos: zl...@openssh.com,zlib,none\r\ndebug2: compression stoc:
> zl...@openssh.com,zlib,none\r\ndebug2: languages ctos: \r\ndebug2:
> languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0
> \r\ndebug2: peer server KEXINIT proposal\r\ndebug2: KEX algorithms:
> curve25519-sha256,curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2
> -nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-he
> llman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-s
> ha256,diffie-hellman-group14-sha1\r\ndebug2: host key algorithms:
> ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2
> : ciphers ctos:
> chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o
> penssh.com,aes25...@openssh.com\r\ndebug2: ciphers stoc:
> chacha20...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@o
> penssh.com,aes25...@openssh.com\r\ndebug2: MACs ctos:
> umac-...@openssh.com,umac-1...@openssh.com,hmac-sha2-256-etm@openssh.
> com,hmac-sha...@openssh.com,hmac-s...@openssh.com,umac-64@openssh
> .com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2:
> MACs stoc:
> umac-...@openssh.com,umac-1...@openssh.com,hmac-sha2-256-etm@openssh.
> com,hmac-sha...@openssh.com,hmac-s...@openssh.com,umac-64@openssh
> .com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2:
> compression ctos: none,zl...@openssh.com\r\ndebug2: compression stoc:
> none,zl...@openssh.com\r\ndebug2: languages ctos: \r\ndebug2: languages
> stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug1:
> kex: algorithm: curve25519-sha256\r\ndebug1: kex: host key algorithm:
> ecdsa-sha2-nistp256\r\ndebug1: kex: server->client cipher:
> chacha20...@openssh.com MAC: <implicit> compression:
> zl...@openssh.com\r\ndebug1: kex: client->server cipher:
> chacha20...@openssh.com MAC: <implicit> compression:
> zl...@openssh.com\r\ndebug3: send packet: type 30\r\ndebug1: expecting
> SSH2_MSG_KEX_ECDH_REPLY\r\ndebug3: receive packet: type 31\r\ndebug1:
> Server host key: ecdsa-sha2-nistp256
> SHA256:Emf8D5I6q+AxRRgH63J0vP7YSlh9xe4OMZsh/t5vClk\r\ndebug3:
> hostkeys_foreach: reading file \"/root/.ssh/known_hosts\"\r\ndebug3:
> record_hostkey: found key type ECDSA in file
> /root/.ssh/known_hosts:4\r\ndebug3: load_hostkeys: loaded 1 keys from
> X.X.X.X\r\ndebug1: Host 'X.X.X.X' is known and matches the ECDSA host
> key.\r\ndebug1: Found key in /root/.ssh/known_hosts:4\r\ndebug3: send
> packet: type 21\r\ndebug2: set_newkeys: mode 1\r\ndebug1: rekey after
> 134217728 blocks\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting
> SSH2_MSG_NEWKEYS\r\ndebug3: receive packet: type 21\r\ndebug1:
> SSH2_MSG_NEWKEYS received\r\ndebug2: set_newkeys: mode 0\r\ndebug1: rekey
> after 134217728 blocks\r\ndebug2: key: /root/.ssh/id_rsa ((nil))\r\ndebug2:
> key: /root/.ssh/id_dsa ((nil))\r\ndebug2: key: /root/.ssh/id_ecdsa
> ((nil))\r\ndebug2: key: /root/.ssh/id_ed25519 ((nil))\r\ndebug3: send
> packet: type 5\r\ndebug3: receive packet: type 7\r\ndebug1:
> SSH2_MSG_EXT_INFO received\r\ndebug1: kex_input_ext_info:
> server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecds
> a-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>\r\ndebug3: receive
> packet: type 6\r\ndebug2: service_accept: ssh-userauth\r\ndebug1:
> SSH2_MSG_SERVICE_ACCEPT received\r\ndebug3: send packet: type
> 50\r\ndebug3: receive packet: type 51\r\ndebug1: Authentications that can
> continue: publickey,password\r\ndebug3: start over, passed a different
> list
> publickey,password\r\ndebug3: preferred
> gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3:
> authmethod_lookup publickey\r\ndebug3: remaining preferred:
> ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled
> publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1:
> Trying private key: /root/.ssh/id_rsa\r\ndebug3: no such identity:
> /root/.ssh/id_rsa: No such file or directory\r\ndebug1: Trying private key:
> /root/.ssh/id_dsa\r\ndebug3: no such identity: /root/.ssh/id_dsa: No such
> file or directory\r\ndebug1: Trying private key:
> /root/.ssh/id_ecdsa\r\ndebug3: no such identity: /root/.ssh/id_ecdsa: No
> such file or directory\r\ndebug1: Trying private key:
> /root/.ssh/id_ed25519\r\ndebug3: no such identity: /root/.ssh/id_ed25519:
> No such file or directory\r\ndebug2: we did not send a packet, disable
> method\r\ndebug1: No more authentication methods to try.\r\nx...@X.X.X.X:
> Permission denied (publickey,password).",


--
This sentence contains exacly three erors.