Ansible - wrong passphrase - even if it has to be correct

Question

i am running ansible modules/playbooks (for example ping) with this command by user, who have sudo rights:

sudo ansible -m ping hosts

"hosts" is group of 2 hosts. When i run this, i'm asked for local sudo password, which is fine. Then i'm asked for sudo on remote host (because i configured that in ansible.cfg), which is also fine. Then i have to enter passphrases for both hosts and this is where i have problem. I am asked literarly like this at one line:

Enter passphrase for key '/home/myuser/.ssh/id_rsa':Enter passphrase for key '/home/myuser/.ssh/id_rsa':

so i just enter my passphrase absolutly right (coppied from keypass) and enter. And i am asked again for passphrase, now only once:

Enter passphrase for key '/home/myuser/.ssh/id_rsa':

So i enter it again.. and i am asked again and so on until ssh dies and hosts are unreachable. Weird thing is, that sometimes i can make it work just by pressing "enter" on first try, then put passphrase and second hosts suddenly working. When i run it one more time i am asked for passphrase just once (for host that failed before) i enter passphrase and now its working.. i am like, what the hell?

Is this bug in Ansible or am i doing something wrong there? If i just ssh to my hosts it works absolutly fine. Tryied to run my ansible commands with multiple verbosity, didnt find anything wrong there. Any ideas?

Are you using the passphrase for the `ssh` private key (which your system is asking)? Or the remote server user password? If you press just _Enter_ at the pass**phrase** request then it asks for a pass**word** and it works? — Daniele Santi, Sep 21 '18 at 14:17
i am using right passphrase for SSH private key. Nope, it wont ask me for password, after few tries on passphrase ssh just fails to connect — helloweenx, Sep 26 '18 at 11:28

Jon McClelland · Answer 1 · 2018-09-24T08:33:13.947

First, you don't need sudo locally to run that command. So save yourself sudo'ing locally for no reason.

Next, you don't need a password to ping target. This will suffice:

$ ansible all -i /tmp/hosts2ping -m ping

...where hosts2ping contains your list of hosts.

If you're doing something on remote that needs you to login as non-root, then you'll need to specify -k (or add 'ask_pass = True' to ~/ansible.cfg):

$ ansible all -i /tmp/hosts2ping -a id -k
SSH password: <enter password>
10.1.2.3 | SUCCESS | rc=0 >> uid=nnnn<non-root-account>.....

...but should only prompt once for all hosts.

If you need to do a root task, use -Kb too...

$ ansible all -i /tmp/hosts2ping -a id -k -Kb
SSH password: <enter password>
SUDO password[defaults to SSH password]: <RETURN>
10.1.2.3 | SUCCESS | rc=0 >> uid=0(root).....

If your ssh key is deployed on target, load it into ssh-agent and you won't need -k...

$ ssh-add
Enter passphrase for .ssh/id_rsa:
identity added: .ssh/id_rsa

$ ansible all -i /tmp/hosts2ping -a id   # -k not needed
10.1.2.3 | SUCCESS | rc=0 >> uid=nnnn<non-root-account>.....

...ssh-agent does all the work.

You'll still need -Kb if doing root stuff on remote though, but won't get prompted for non-root password (as ssh-agent does that)...

$ ansible all -i /tmp/hosts2ping -a id -Kb   # -k not needed
SUDO password[defaults to SSH password]: <RETURN>
10.1.2.3 | SUCCESS | rc=0 >> uid=0(root).....

EDIT: Usually, sudo simply allows your non-root account to 'set user' as another, usually root itself. So, you're su'ing into the shared account to do privileged stuff? That should still work. Just change the 'become' options to specify the shared account (instead of defaulting to root), example:

$ ansible all -i /tmp/hosts2ping -a id -k -Kb --become-user=<shared-account>
SSH password: <enter password>
SUDO password[defaults to SSH password]: <RETURN>
10.1.2.3 | SUCCESS | rc=0 >> uid=43526(<shared-account>).....

i actually need to sudo in ansible command. In our organization every administrator use own account to login at ansible control machine and use one shared account to SSH and do sudo stuff on remotes. So i sudo to have rights on shared account SSH private key. Not really sure if this way is best practice.. — helloweenx, Sep 24 '18 at 06:23
...added a EDIT above to reply to this. Can't seem to format these comment replies?? — Jon McClelland, Sep 24 '18 at 08:34
yea you can format these replies only with mini-Markdown formatting.. no, i just need to have rights over /home/sharedSSHaccount/.ssh/id_rsa so my own user can fetch this SSH key to remote server to authenticate with public key. I have configured in ansible.cfg remote_user=sharedSSHaccount so every SSH connection is made with this account.. Hopefully i wrote this right, so you can understand it ;-) thank you! — helloweenx, Sep 25 '18 at 14:13

score 0 · Answer 2 · answered Apr 10 '20 at 14:18

0

I had this problem when I was trying to use Ansible through a bastion host (jumpbox). What fixed it was:

yum update

answered Apr 10 '20 at 14:18

robert mundkowsky

1

score 0 · Answer 3 · answered Sep 21 '18 at 16:19

0

One option would be to add your key to the ssh-agentusing ssh-add. In that way you won't get this anymore.

answered Sep 21 '18 at 16:19

AHT

166
1
7

yea i thought about that too, but there still persist problem, that SSH key, i want to add to agent is not my user's key, but its one from shared account - and i dont have rights to access it without sudo and you cant just go "sudo ssh-agent" – helloweenx Sep 25 '18 at 06:08

Ansible - wrong passphrase - even if it has to be correct

3 Answers3