thoroughly stumped on ssh key issue; ansible not reading /root/.ssh/config? (missing something simple?).

[jason cafarelli]

Issue:

PAsswordless ssh works; ansible does not; comes back with AUTH failed.  Almost looks like my /root/.ssh/config is not being read by ansible?

Workarounds:

setting key manually in /etc/ansible/ansible.cfg or using flag to specify key in command line both work

Kickstart/cobbler install with pre shared public key that is stored in rsa_compute_node and rsa_compute_node.pub on the mgmt node.

ie:

[root@mgmt2 ssh]# ls /root/.ssh/

authorized_keys  id_rsa          id_rsa_compute.pub  id_rsa_mgmt.pub  known_hosts

config           id_rsa_compute  id_rsa_mgmt         id_rsa.pub

[root@mgmt2 ssh]#

Config file setup for certian hosts and using my custom ID file:

[root@mgmt2 ssh]# cat /root/.ssh/config

Host 192.168.* 

StrictHostKeyChecking=no

IdentityFile ~/.ssh/id_rsa_compute

ssh works without password

[root@mgmt2 ~]# ssh 192.168.100.147

[root@u-eth ~]#

Ansible fails:

[root@mgmt2 ssh]# ansible compute -m ping

 [WARNING]: The version of gmp you have installed has a known issue regarding

timing vulnerabilities when used with pycrypto. If possible, you should update

it (i.e. yum update gmp).

192.168.100.103 | FAILED => FAILED: Authentication failed.

192.168.100.105 | FAILED => FAILED: Authentication failed.

192.168.100.101 | FAILED => FAILED: Authentication failed.

192.168.100.104 | FAILED => FAILED: Authentication failed.

192.168.100.102 | FAILED => FAILED: Authentication failed.

192.168.100.107 | FAILED => FAILED: Authentication failed.

192.168.100.110 | FAILED => FAILED: Authentication failed.

192.168.100.106 | FAILED => FAILED: Authentication failed.

192.168.100.108 | FAILED => FAILED: Authentication failed.

192.168.100.109 | FAILED => FAILED: Authentication failed.

192.168.100.114 | FAILED => FAILED: Authentication failed.

192.168.100.113 | FAILED => FAILED: Authentication failed.

192.168.100.111 | FAILED => FAILED: Authentication failed.

192.168.100.112 | FAILED => FAILED: Authentication failed.

192.168.100.115 | FAILED => FAILED: Authentication failed.

192.168.100.120 | FAILED => FAILED: Authentication failed.

192.168.100.119 | FAILED => FAILED: Authentication failed.

192.168.100.117 | FAILED => FAILED: Authentication failed.

192.168.100.116 | FAILED => FAILED: Authentication failed.

192.168.100.118 | FAILED => FAILED: Authentication failed.

192.168.100.121 | FAILED => FAILED: Authentication failed.

192.168.100.123 | FAILED => FAILED: Authentication failed.

192.168.100.125 | FAILED => FAILED: Authentication failed.

192.168.100.122 | FAILED => FAILED: Authentication failed.

192.168.100.124 | FAILED => FAILED: Authentication failed.

192.168.100.126 | FAILED => FAILED: Authentication failed.

192.168.100.129 | FAILED => FAILED: Authentication failed.

192.168.100.128 | FAILED => FAILED: Authentication failed.

192.168.100.130 | FAILED => FAILED: Authentication failed.

192.168.100.127 | FAILED => FAILED: Authentication failed.

192.168.100.134 | FAILED => FAILED: Authentication failed.

192.168.100.131 | FAILED => FAILED: Authentication failed.

192.168.100.132 | FAILED => FAILED: Authentication failed.

192.168.100.135 | FAILED => FAILED: Authentication failed.

192.168.100.133 | FAILED => FAILED: Authentication failed.

192.168.100.137 | FAILED => FAILED: Authentication failed.

192.168.100.139 | FAILED => FAILED: Authentication failed.

192.168.100.138 | FAILED => FAILED: Authentication failed.

192.168.100.140 | FAILED => FAILED: Authentication failed.

192.168.100.136 | FAILED => FAILED: Authentication failed.

192.168.100.142 | FAILED => FAILED: Authentication failed.

192.168.100.143 | FAILED => FAILED: Authentication failed.

192.168.100.144 | FAILED => FAILED: Authentication failed.

192.168.100.145 | FAILED => FAILED: Authentication failed.

192.168.100.141 | FAILED => FAILED: Authentication failed.

192.168.100.146 | FAILED => FAILED: Authentication failed.

192.168.100.147 | FAILED => FAILED: Authentication failed.

192.168.100.148 | success >> {

    "changed": false,

    "ping": "pong"

}

The last node; i ran ssh-copy-id as a sanity test.

Version:

[root@mgmt2 ~]# rpm -qa | grep ans

dejavu-sans-fonts-2.30-2.el6.noarch

ansible-1.8.1-1.el6.noarch

[root@mgmt2 ~]#

[root@--eth .ssh]# service sshd stop; /usr/sbin/sshd -p 22 -D -d -e

debug1: sshd version OpenSSH_5.3p1

debug1: read PEM private key done: type RSA

debug1: private host key: #0 type 1 RSA

debug1: read PEM private key done: type DSA

debug1: private host key: #1 type 2 DSA

debug1: rexec_argv[0]='/usr/sbin/sshd'

debug1: rexec_argv[1]='-p'

debug1: rexec_argv[2]='22'

debug1: rexec_argv[3]='-D'

debug1: rexec_argv[4]='-d'

debug1: rexec_argv[5]='-e'

Set /proc/self/oom_score_adj from 0 to -1000

debug1: Bind to port 22 on 0.0.0.0.

Server listening on 0.0.0.0 port 22.

debug1: Bind to port 22 on ::.

Server listening on :: port 22.

debug1: Server will not fork when running in debugging mode.

debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8

debug1: sshd version OpenSSH_5.3p1

debug1: read PEM private key done: type RSA

debug1: private host key: #0 type 1 RSA

debug1: read PEM private key done: type DSA

debug1: private host key: #1 type 2 DSA

debug1: inetd sockets after dupping: 3, 3

Connection from 192.168.1.2 port 52557

debug1: Client protocol version 2.0; client software version paramiko_1.7.5

debug1: no match: paramiko_1.7.5

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug1: permanently_set_uid: 74/74

debug1: list_hostkey_types: ssh-rsa,ssh-dss

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: client->server aes128-ctr hmac-sha1 none

debug1: kex: server->client aes128-ctr hmac-sha1 none

debug1: expecting SSH2_MSG_KEXDH_INIT

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user root service ssh-connection method publickey

debug1: attempt 0 failures 0

debug1: PAM: initializing for "root"

debug1: PAM: setting PAM_RHOST to "192.168.1.2"

debug1: PAM: setting PAM_TTY to "ssh"

debug1: temporarily_use_uid: 0/0 (e=0/0)

debug1: trying public key file /root/.ssh/authorized_keys

debug1: fd 4 clearing O_NONBLOCK

debug1: restore_uid: 0/0

debug1: temporarily_use_uid: 0/0 (e=0/0)

debug1: trying public key file /root/.ssh/authorized_keys2

debug1: fd 4 clearing O_NONBLOCK

debug1: restore_uid: 0/0

Failed publickey for root from 192.168.1.2 port 52557 ssh2

Connection closed by 192.168.1.2

debug1: do_cleanup

debug1: do_cleanup

debug1: PAM: cleanup

[root@urika-xa46-eth .ssh]# rm /root/.ssh/authorized_keys2

rm: remove regular file `/root/.ssh/authorized_keys2'? y

[root@--eth .ssh]#

LEt me know if you need anymore info,

Thanks!

-Jason

[Matt Martz]

I could be wrong but Anisble may be using paramiko on your machine instead of the ssh command.  You can verify by adding -vvvv

Additionally you can try forcing ssh by using "-c ssh".

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2cc5504f-325e-438b-a7da-1ec7d39fa288%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Matt Martz
@sivel
sivel.net

[David Proffer]

I am having a similar problem to Jason's example. Using ansible version 1.8.4 installed via brew on OS X 10.10.2 machine, ansible is only able to access machines that have root ssh login enabled and only if I use the -k option in ansible. Using -k option, ansible logs in as root and works. If I try a different user using the -u option on ansible command line it is ignored. I tried the -c ssh suggestion of Matt, no difference for passwordless attempt, Ansible does ask for another program to be installed if you use the -c ssh -k , I did not go down this path, as entering a password is not my goal. The following playbook works and shows that remote user is root if I use -k option, playbook will fail with similar log to Jason's above with no -k:

---

- hosts: ubuntu14

  gather_facts: False

  tasks:

  - name: who am i

    command: whoami

    register:  catout

  - debug: var=catout.stdout_lines

I am able to use this paramiko 1.15.2 python code both as root and nonroot user to connect to this same Ubuntu 14.04 machine from OS X:

import paramiko

ssh = paramiko.SSHClient()

ssh.load_system_host_keys()

ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())

ssh.connect('ubuntu14',username='user', password='password')

stdin, stdout, stderr = ssh.exec_command('whoami')

stdout.readlines()

note: I have to use the set_missing_host_key_policy(paramiko.AutoAddPolicy()) to get the code to run, solving a 'not found in known_hosts' error that seems to be known about paramiko for some time.

I am a total n00b to ansible.

-vvvv output for the following execution: ansible-playbook playbook.yml  -vvvv

<ubuntu14>

<ubuntu14>

<ubuntu14> ConnectTimeout=10 PasswordAuthentication=no KbdInteractiveAuthentication=no User=root ControlPath=/Users/dproffer/.ansible/cp/ansible-ssh-%h-%p-%r PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey ControlMaster=auto Port=22 ControlPersist=60s

fatal: [ubuntu14] => SSH encountered an unknown error. The output was:

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/dproffer/.ssh/config

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: /etc/ssh_config line 53: Applying options for *

debug1: auto-mux: Trying existing master

debug1: Control socket "/Users/dproffer/.ansible/cp/ansible-ssh-ubuntu14-22-root" does not exist

debug2: ssh_connect: needpriv 0

debug1: Connecting to ubuntu14 [192.168.1.150] port 22.

debug2: fd 3 setting O_NONBLOCK

debug1: fd 3 clearing O_NONBLOCK

debug1: Connection established.

debug3: timeout: 10000 ms remain after connect

debug3: Incorrect RSA1 identifier

debug3: Could not load "/Users/dproffer/.ssh/id_rsa" as a RSA1 public key

debug1: identity file /Users/dproffer/.ssh/id_rsa type 1

debug1: identity file /Users/dproffer/.ssh/id_rsa-cert type -1

debug1: identity file /Users/dproffer/.ssh/id_dsa type -1

debug1: identity file /Users/dproffer/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-8

debug1: match: OpenSSH_6.6.1p1 Ubuntu-8 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug3: load_hostkeys: loading entries for host "ubuntu14" from file "/Users/dproffer/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /Users/dproffer/.ssh/known_hosts:2

debug3: load_hostkeys: loaded 1 keys

debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-...@openssh.com,ssh-rsa-...@openssh.com,ssh-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-...@openssh.com,ssh-rsa-...@openssh.com,ssh-rsa,ssh-dss-...@openssh.com,ssh-dss-...@openssh.com,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: kex_parse_kexinit: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: zl...@openssh.com,zlib,none

debug2: kex_parse_kexinit: zl...@openssh.com,zlib,none

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve255...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12...@openssh.com,aes25...@openssh.com,chacha20...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijnda...@lysator.liu.se

debug2: kex_parse_kexinit: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-m...@openssh.com,hmac-s...@openssh.com,umac-...@openssh.com,umac-1...@openssh.com,hmac-sha...@openssh.com,hmac-sha...@openssh.com,hmac-ripe...@openssh.com,hmac-sha...@openssh.com,hmac-md...@openssh.com,hmac-md5,hmac-sha1,uma...@openssh.com,umac...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ri...@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zl...@openssh.com

debug2: kex_parse_kexinit: none,zl...@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-m...@openssh.com

debug1: kex: server->client aes128-ctr hmac-m...@openssh.com zl...@openssh.com

debug2: mac_setup: found hmac-m...@openssh.com

debug1: kex: client->server aes128-ctr hmac-m...@openssh.com zl...@openssh.com

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 132/256

debug2: bits set: 507/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx

debug3: load_hostkeys: loading entries for host "ubuntu14" from file "/Users/dproffer/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /Users/dproffer/.ssh/known_hosts:2

debug3: load_hostkeys: loaded 1 keys

debug3: load_hostkeys: loading entries for host "192.168.1.150" from file "/Users/dproffer/.ssh/known_hosts"

debug3: load_hostkeys: found key type RSA in file /Users/dproffer/.ssh/known_hosts:2

debug3: load_hostkeys: loaded 1 keys

debug1: Host 'ubuntu14' is known and matches the RSA host key.

debug1: Found key in /Users/dproffer/.ssh/known_hosts:2

debug2: bits set: 491/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /Users/dproffer/.ssh/id_rsa (0x7ffc59c16020),

debug2: key: /Users/dproffer/.ssh/id_dsa (0x0),

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey

debug3: authmethod_lookup publickey

debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/dproffer/.ssh/id_rsa

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /Users/dproffer/.ssh/id_dsa

debug3: no such identity: /Users/dproffer/.ssh/id_dsa: No such file or directory

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password).

-------

Thanks!

[David Proffer]

After a bit more reading and learning, I have found that using the ansible option:

ansible_ssh_user

is the way to select the ssh user in ansible. It can be placed in ansible's hosts file, in a playbook or on the command line. In a playbook for example:

---

- hosts: ubuntu14-docker

vars:

- ansible_ssh_user: zorro

gather_facts: False

tasks:

- name: who am i

command: whoami

register: catout

- debug: var=catout.stdout_lines

On Friday, February 6, 2015 at 3:33:32 PM UTC-8, jason cafarelli wrote: