paramiko: The authenticity of host can't be established

4,997 views
Skip to first unread message

lanz

unread,
Nov 18, 2014, 8:46:31 PM11/18/14
to ansible...@googlegroups.com

ansible v1.7.2, running on RHEL 6.5, x86_64


Sorry for the newbie question, but I'm just starting out with ansible. I've

set up the SSH public/private key pairs between the ansible host and a few 

test boxes; I can now use ssh to log in to any of those boxes without being 

prompted for a password.


But when I try


    $ ansible all -m ping


I get failures like this for each host:


paramiko: The authenticity of host 'sesincub.stanford.edu' can't be established. 

The ssh-rsa key fingerprint is e5044ec0f82c2d1c25bc088c6cf9f372. 

Are you sure you want to continue connecting (yes/no)?

yes

sesincub.stanford.edu | FAILED >> {

    "failed": true, 

    "msg": "  File \"/home/lanz/.ansible/tmp/ansible-tmp-1416358227.56-273156953803218/ping\", line 185\n    return dict((_convert(k), _convert(v)) for k, v in node.items)\n                                             ^\nSyntaxError: invalid syntax\n", 

    "parsed": false

}


Is this the "OpenSSH is too old on RHEL-6" problem? Isn't paramiko supposed

to work around that? How do I fix this?


There is no /etc/ansible/ansible.cfg or ~/.ansible.cfg file.


-- 

Kai Lanz          Stanford University          School of Earth Sciences

lanz

unread,
Nov 19, 2014, 4:04:49 PM11/19/14
to ansible...@googlegroups.com

On Tuesday, November 18, 2014 5:46:31 PM UTC-8, lanz wrote:

ansible v1.7.2, running on RHEL 6.5, x86_64


But when I try


    $ ansible all -m ping


I get failures like this for each host:


paramiko: The authenticity of host 'sesincub.stanford.edu' can't be established. 

The ssh-rsa key fingerprint is e5044ec0f82c2d1c25bc088c6cf9f372. 

Are you sure you want to continue connecting (yes/no)?

yes

sesincub.stanford.edu | FAILED >> {

    "failed": true, 

    "msg": "  File \"/home/lanz/.ansible/tmp/ansible-tmp-1416358227.56-273156953803218/ping\", line 185\n    return dict((_convert(k), _convert(v)) for k, v in node.items)\n                                             ^\nSyntaxError: invalid syntax\n", 

    "parsed": false

}

 

I've answered part of my question. Our Kerberos authentication setup was

getting in the way of my tests yesterday and confusing paramiko. So, to get

Kerberos out of the way and guarantee that I'm using the SSH public key auth,

I've deleted my kerberos tickets. Now I can ssh into my test boxes from the

ansible host, still without being prompted for a password, and the logs on

the client box show "Accepted publickey for lanz" as expected.


And now, when I try the ansible 'ping', the complaints from paramiko are

gone:


$ ansible all -m ping

sesincub.stanford.edu | FAILED >> {

    "failed": true, 

    "msg": "  File \"/home/lanz/.ansible/tmp/ansible-tmp-1416422847.56-222433795331874/ping\", line 185\n    return dict((_convert(k), _convert(v)) for k, v in node.items)\n                                             ^\nSyntaxError: invalid syntax\n", 

    "parsed": false

}


As a result of this ping attempt, the logs on the client box say:


Nov 19 10:47:27 sesincub sshd[14161]: Accepted publickey for lanz from 171.x.x.x port 59540 ssh2

Nov 19 10:47:27 sesincub sshd[14163]: subsystem request for sftp


So, is that the expected output from the ping test? It doesn't look like it;

it looks like a little block of source code. Why am I seeing that?


I've tested sftp manually from the ansible host to the client, and it works

fine.


Python version is 2.6.6.


-- 

Kai Lanz              Stanford University           SChool of Earth Sciences 

Brian Coca

unread,
Nov 19, 2014, 4:18:54 PM11/19/14
to ansible...@googlegroups.com
Hi,

The expected output of the ping module is a 'pong' response from the server, your output seems to indicate there is some problem with the ping module code, the ssh connection is fine at this point. 

The weird part is that this is common code used by all modules, I just tested and it doesn't seem broken on my copy of 1.7.2, so I cannot reproduce the error. Please verify that the ansible source files have not been edited.

lanz

unread,
Nov 19, 2014, 5:08:52 PM11/19/14
to ansible...@googlegroups.com
Brian,

We have not modified any of the ansible source files.

I've used find/grep to search every .py file under /usr/lib/python2.6/site-packages without finding the source code block I've quoted above.
(I also looked under the corresponding lib64 tree.) Any idea where it's coming from?

What can we try next to narrow this down?

-- Kai

Brian Coca

unread,
Nov 19, 2014, 6:34:04 PM11/19/14
to ansible...@googlegroups.com
the code comes from:

lib/ansible/module_utils/basic.py

where that ends up depends on your installation method.


--
Brian Coca

lanz

unread,
Nov 20, 2014, 1:37:00 PM11/20/14
to ansible...@googlegroups.com
Brian,

I found the solution.

A while back, I installed a new version of Python on my test machine (sesincub) for reasons unrelated to ansible. To avoid breaking existing Python scripts, I installed the new version under a separate path (/usr/local) so it could coexist with the old version. When it came time to start testing ansible, I forgot that little detail, so I never told ansible which Python to use on the client. Thus, ansible was happily using the old v2.3.4 Python, which doesn't work. Once I remembered all this, the fix was trivial: edit /etc/ansible/hosts and set the path to the correct, new Python interpreter on sesincub:

sesincub.stanford.edu ansible_python_interpreter=/usr/local/bin/python


This immediately fixed the ping test:


sesincub.stanford.edu | success >> {

    "changed": false, 

    "ping": "pong"

}


Your comment referring to basic.py was very helpful; checking the source code enabled me to google more effectively, and I quickly found this:


http://stivesso.blogspot.com/2014/08/ansible-hosts-install-alternate.html


which jogged my memory and revealed the simple fix.


Thanks for your help.


-- 

Kai Lanz

Reply all
Reply to author
Forward
0 new messages