Ansible - Change SSH user during playbook execution

Question

I'm new to ansible, maybe someone can help me with this configuration. I have an inventory of multiple servers. SSH access to these servers is secured using PEM key files.

I have a playbook and want to change the ansible ssh user (default devops) to root if user devops on the remote host not exists. The root access should be done by using username and password.

This is my playbook:

- name: Deploy "devops" user on my_new_hosts
  hosts: my_new_hosts
  gather_facts: false

tasks: 
  - name: Test User "devops"
    local_action: "command ssh -q -o BatchMode=yes -o ConnectTimeout=3 {{ inventory_hostname }} 'echo ok'"
    register: test_devops
    ignore_errors: true
    changed_when: false

  - name: Create User "devops"
    remote_user: "{{ test_devops | success | ternary(omit, 'root') }}"
    user:
      name: "devops"
      update_password: on_create
      groups: "sudo"
      append: yes
      shell: "/bin/bash"
      skeleton: "/etc/skel"
      create_home: yes

I followed the instructions regarding in this post : Ansible: Check if my user exists on remote host, else use root user to connect with ssh

I'm using local ssh-agent for keeping my password for user devops. How is it possible to force the ask_pass command for root?

    TASK [Create User "devops"] ****************************************************
    task path: /etc/ansible/playbooks/cms_deploy_user_devops_with_root.yml:13
    Using module file /usr/lib/python2.7/dist-packages/ansible/modules/core/system/user.py
    <my-host> ESTABLISH SSH CONNECTION FOR USER: root
    <my-host> SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/home/devops/.ansible/cp/ansible-ssh-%h-%p-%r my-host '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1529062422.28-123292817615678 `" && echo ansible-tmp-1529062422.28-123292817615678="` echo ~/.ansible/tmp/ansible-tmp-1529062422.28-123292817615678 `" ) && sleep 0'"'"''
    fatal: [my-host]: UNREACHABLE! => {
        "changed": false,
        "unreachable": true
    }

    MSG:

    Failed to connect to the host via ssh: OpenSSH_7.4p1 Raspbian-10+deb9u3, OpenSSL 1.0.2l  25 May 2017
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 19: Applying options for *
    debug1: auto-mux: Trying existing master
    debug1: Control socket "/home/devops/.ansible/cp/ansible-ssh-my-host-22-root" does not exist
    debug2: resolving "my-host" port 22
    debug2: ssh_connect_direct: needpriv 0
    debug1: Connecting to my-host [192.168.xx.xx] port 22.
    debug2: fd 3 setting O_NONBLOCK
    debug1: fd 3 clearing O_NONBLOCK
    debug1: Connection established.
    debug3: timeout: 10000 ms remain after connect
    debug1: identity file /home/devops/.ssh/id_rsa type 1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/devops/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u3
    debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10
    debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.10 pat OpenSSH_6.6.1* compat 0x04000000
    debug2: fd 3 setting O_NONBLOCK
    debug1: Authenticating to my-host:22 as 'root'
    debug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:5
    debug3: load_hostkeys: loaded 1 keys from my-host
    debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
    debug3: send packet: type 20
    debug1: SSH2_MSG_KEXINIT sent
    debug3: receive packet: type 20
    debug1: SSH2_MSG_KEXINIT received
    debug2: local client KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
    debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
    debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
    debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc
    debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
    debug2: compression ctos: zlib@openssh.com,zlib,none
    debug2: compression stoc: zlib@openssh.com,zlib,none
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug2: peer server KEXINIT proposal
    debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: host key algorithms: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
    debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    debug2: MACs ctos: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: MACs stoc: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: compression ctos: none,zlib@openssh.com
    debug2: compression stoc: none,zlib@openssh.com
    debug2: languages ctos:
    debug2: languages stoc:
    debug2: first_kex_follows 0
    debug2: reserved 0
    debug1: kex: algorithm: curve25519-sha256@libssh.org
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
    debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: zlib@openssh.com
    debug3: send packet: type 30
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug3: receive packet: type 31
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:frX/+3pJF0LBtAnLE0j3rIbXOC/bGIsUflTcwQWBrHA
    debug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:5
    debug3: load_hostkeys: loaded 1 keys from my-host
    debug3: hostkeys_foreach: reading file "/home/devops/.ssh/known_hosts"
    debug3: record_hostkey: found key type ECDSA in file /home/devops/.ssh/known_hosts:6
    debug3: load_hostkeys: loaded 1 keys from 192.168.xx.xx
    debug1: Host 'my-host' is known and matches the ECDSA host key.
    debug1: Found key in /home/devops/.ssh/known_hosts:5
    debug3: send packet: type 21
    debug2: set_newkeys: mode 1
    debug1: rekey after 134217728 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug3: receive packet: type 21
    debug1: SSH2_MSG_NEWKEYS received
    debug2: set_newkeys: mode 0
    debug1: rekey after 134217728 blocks
    debug2: key: /home/devops/.ssh/id_rsa (0x1d17d58), agent
    debug2: key: /home/devops/.ssh/id_dsa ((nil))
    debug2: key: /home/devops/.ssh/id_ecdsa ((nil))
    debug2: key: /home/devops/.ssh/id_ed25519 ((nil))
    debug3: send packet: type 5
    debug3: receive packet: type 6
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug3: send packet: type 50
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug3: start over, passed a different list publickey,password
    debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /home/devops/.ssh/id_rsa
    debug3: send_pubkey_test
    debug3: send packet: type 50
    debug2: we sent a publickey packet, wait for reply
    debug3: receive packet: type 51
    debug1: Authentications that can continue: publickey,password
    debug1: Trying private key: /home/devops/.ssh/id_dsa
    debug3: no such identity: /home/devops/.ssh/id_dsa: No such file or directory
    debug1: Trying private key: /home/devops/.ssh/id_ecdsa
    debug3: no such identity: /home/devops/.ssh/id_ecdsa: No such file or directory
    debug1: Trying private key: /home/devops/.ssh/id_ed25519
    debug3: no such identity: /home/devops/.ssh/id_ed25519: No such file or directory
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied (publickey,password).

Can someone help me or explain where my fallacy is?

Can you launch the same command with the option -vvvv for more output? — , Jun 14 '18 at 19:13
I edited my question and pasted the additonal debug output (-vvvv). — thomas tugend, Jun 15 '18 at 12:07

score 0 · Answer 1 · answered Jun 15 '18 at 14:04

0

It's issue with your SSH-Keys.

You must correctly add your public / private keys.

debug3: no such identity: /home/devops/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/devops/.ssh/id_ecdsa
debug3: no such identity: /home/devops/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/devops/.ssh/id_ed25519
debug3: no such identity: /home/devops/.ssh/id_ed25519: No such file or directory

Please add the key to your agent using:

ssh-add

answered Jun 15 '18 at 14:04

1

Thank you @wrogrammer , but this is not the issue. My user _devops_ is proper working with _ssh-agent_ . I want to switch to user _root_ with _ssh_, _username_ and _password_ (without cert) if user _devops_ not exists on the new remote host. – thomas tugend Jun 15 '18 at 15:43
Can I know reason to do this? – Jun 15 '18 at 23:56
I want to switch to root, if no other sudo-user on the remote host exists, to create one. In case the host is brand new there is no keyfile for the root user. Therefore username and password. – thomas tugend Jun 16 '18 at 13:46
I think it's workaround. Why in remote machine you dont create new user with specific permissions ? – Jun 16 '18 at 14:51

score 0 · Answer 2 · answered Jul 16 '23 at 20:57

Setting a remote user

By default, Ansible connects to all remote devices with the user name you are using on the control node. If that user name does not exist on a remote device, you can set a different user name for the connection. If you just need to do some tasks as a different user, look at Understanding privilege escalation: become. You can set the connection user in a playbook:
---
- name: update webservers
  hosts: webservers
  remote_user: admin

  tasks:
  - name: thing to do first in this playbook
  . . .

Source: docs.ansible.com

Ansible - Change SSH user during playbook execution

2 Answers2

Setting a remote user