It is not specifically documented other than the code itself: https://github.com/ansible/ansible/blob/d3c28fee8739c93821d4f639b2931f5a3592eb8e/lib/ansible/runner/connection_plugins/ssh.py#L90-L92
It was added in: https://github.com/ansible/ansible/commit/d703f920775e8877b1fb9e2ae750a23bcc7e9534 Which dates the change back to v0.9 My recommendation is to not put ansible_ssh_pass in your inventory. Instead just specify it as an argument (-k) on the command line the first time you bootstrap a machine. That is what we do, and it seems to work out pretty well. On Wed, Nov 5, 2014 at 3:22 PM, David Reagan <[email protected]> wrote: > Is that documented? I don't see it here: > http://docs.ansible.com/intro_inventory.html#list-of-behavioral-inventory-parameters > > Any explanations on why? It seems counter intuitive to me. I would think > we'd always want to use pubkey auth, and only use password auth if pubkey > isn't available. > > --David Reagan > > On Wed, Nov 5, 2014 at 1:08 PM, Matt Martz <[email protected]> wrote: > >> If you have ansible_ssh_pass set, ansible explicitly sets "-o >> PubkeyAuthentication=no" which disables the use of SSH public key auth. >> >> On Wed, Nov 5, 2014 at 2:35 PM, David Reagan <[email protected]> wrote: >> >>> When I'm first setting up a vm, I need to set which user to use and the >>> ssh and sudo passwords. >>> >>> So, my host file looks something like: >>> >>> [apache] >>>> 192.168.77.2 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant >>>> ansible_sudo_pass=vagrant >>>> [mysql] >>>> 192.168.77.3 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant >>>> ansible_sudo_pass=vagrant >>>> >>> >>> The initial setup includes configuring ssh to use sshkey auth, block >>> password auth, and adds my ssh pub key to the vagrant user. >>> >>> After that first run, my playbooks fail. >>> >>> >>> ansible-playbook -i provisioning/vagrant.ansible.hosts --sudo >>>> --limit="192.168.77.3" provisioning/play.testowncloud.yml >>>> >>>> PLAY [apache] >>>> ***************************************************************** >>>> skipping: no hosts matched >>>> >>>> PLAY [mysql] >>>> ****************************************************************** >>>> >>>> GATHERING FACTS >>>> *************************************************************** >>>> fatal: [192.168.77.3] => SSH encountered an unknown error during the >>>> connection. We recommend you re-run the command using -vvvv, which will >>>> enable SSH debugging output to help diagnose the issue >>>> >>>> TASK: [aspects_mysql_server | include_vars {{ ansible_os_family }}.yml] >>>> ******* >>>> FATAL: no hosts matched or all hosts have already failed -- aborting >>>> >>>> >>>> PLAY RECAP >>>> ******************************************************************** >>>> to retry, use: --limit >>>> @/home/localuser/play.testowncloud.retry >>>> >>>> 192.168.77.3 : ok=0 changed=0 unreachable=1 >>>> failed=0 >>>> >>> >>> >>> If I remove the *ansible_ssh_pass* variable from my hosts file, it >>> starts working. >>> >>> Why is that? Shouldn't having the *ansible_ssh_pass* set not matter? >>> >>> >>> In case it's useful, my /etc/ssh/sshd_config: >>> >>> # See the sshd_config(5) manpage for details on what options you can set. >>>> Protocol 2 >>>> HostKey /etc/ssh/ssh_host_dsa_key >>>> HostKey /etc/ssh/ssh_host_ecdsa_key >>>> UsePrivilegeSeparation yes >>>> AcceptEnv LANG LC_* >>>> HostKey /etc/ssh/ssh_host_rsa_key >>>> Port 22 >>>> PubkeyAuthentication yes >>>> ServerKeyBits 768 >>>> PrintMotd no >>>> AllowUsers otherusers localuser vagrant >>>> PrintLastLog yes >>>> HostbasedAuthentication no >>>> LoginGraceTime 120 >>>> SyslogFacility AUTH >>>> X11DisplayOffset 10 >>>> IgnoreRhosts yes >>>> PasswordAuthentication no >>>> TCPKeepAlive yes >>>> KeyRegenerationInterval 3600 >>>> UsePAM yes >>>> LogLevel INFO >>>> RhostsRSAAuthentication no >>>> PermitEmptyPasswords no >>>> PermitRootLogin no >>>> Subsystem sftp /usr/lib/openssh/sftp-server >>>> X11Forwarding yes >>>> RSAAuthentication yes >>>> ChallengeResponseAuthentication no >>>> >>> >>> Both desktop and vm are Ubuntu 14.04. Using ansible devel branch current >>> as of a couple weeks ago. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/7bcee974-eaf4-487d-b97f-a6f897395784%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/7bcee974-eaf4-487d-b97f-a6f897395784%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> >> >> -- >> Matt Martz >> @sivel >> sivel.net >> >> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ansible Project" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/ansible-project/AqMAoVRd6EM/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CAD8N0v_n96QpoJtek%2BTW1Yc%2BNAMCaCoa%3Dd3s0Y8Zp3YyoXSLcA%40mail.gmail.com >> <https://groups.google.com/d/msgid/ansible-project/CAD8N0v_n96QpoJtek%2BTW1Yc%2BNAMCaCoa%3Dd3s0Y8Zp3YyoXSLcA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CANo%2B_AfTJQWFOeB%2BCUW2XFWW16Yf44uYe-XJSLRxO7K1v09WFw%40mail.gmail.com > <https://groups.google.com/d/msgid/ansible-project/CANo%2B_AfTJQWFOeB%2BCUW2XFWW16Yf44uYe-XJSLRxO7K1v09WFw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v-syB0Ae9j9zS6X%2Bx6xA4u26y_w8pbWg8G923U4YqknLA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
