Thanks for looking. There are too many current processes dependent on passwords that I'm migrating to Ansible - while converting to keys is partly underway, it won't be complete for a while.
There's also a second bootstrapping problem. I'm using Ansible to run baremetal bringup scripts on xen hosts (doing double duty as the jumpbox/bastion host above) which in turn creates the VM's from an image. I cannot bake keys into the image and need to get them on there after they boot up. Hence - a chicken and egg problem. How would I get the keys onto the VMs? Xen hosts have numerous problems running Ansible scripts directly because they run an old version of Python - so I don't think I can call the authorized_key module on the host and have it inject them into the VMs. The action would need to be triggered outside in a machine/vm that supports Ansible - which in turn would need to tunnel into the VMs to do just this - hence chicken and egg. Ultimately, the key pairs would be created and injected into the images instead of the passwords we do today - but as I mention above, this won't be for a while. On Friday, February 13, 2015 at 5:05:38 PM UTC-6, Michael Peters wrote: > > Not the answer you're looking for, but why don't you just use ssh > keys? It's some minor work upfront with huge security and automation > benefits easier. > > On Fri, Feb 13, 2015 at 3:51 PM, Ananda Debnath > <[email protected] <javascript:>> wrote: > > Does anyone know of an example to do this using password authentication? > > > > My inventory file has ansible_ssh_user and ansible_ssh_pass values set > and > > my ssh config file has password authentication set to yes. > > > > my.ssh.config > > > > Host 56.66.3.10 > > User king > > HostName 56.66.3.10 > > ProxyCommand none > > BatchMode yes > > PasswordAuthentication yes > > > > # Also tried ssh -aY [email protected] <javascript:> 'nc -w 14400 %h %p' > > Host * > > ServerAliveInterval 60 > > TCPKeepAlive yes > > ProxyCommand ssh -AY [email protected] <javascript:> 'nc > -w 14400 %h %p' > > ControlMaster auto > > ControlPath ~/.ssh/mux-%r@%h:%p > > ControlPersist 15s > > PasswordAuthentication yes > > > > But this isn't helping. I have a test role that applies to 56.66.3.10 > first > > and then other roles to the ones behind the bastion - redis-vm, etc. > Neither > > the bastion nor the vms behind it will let me through with passwords. > > The ansible.cfg file looks like: > > [defaults] > > host_key_checking = False > > # Tried both with and without this > > transport=ssh > > > > [ssh_connection] > > ssh_args = -F my.ssh.config > > scp_if_ssh = True > > control_path = ~/.ssh/mux-%%r@%%h:%%p > > > > The tail of the bastion login failure reads: > > > > debug2: key: /home/adebnath/.ssh/id_rsa ((nil)), > > debug2: key: /home/adebnath/.ssh/id_dsa ((nil)), > > debug2: key: /home/adebnath/.ssh/id_ecdsa ((nil)), > > debug2: key: /home/adebnath/.ssh/id_ed25519 ((nil)), > > debug1: Authentications that can continue: publickey,password > > debug3: start over, passed a different list publickey,password > > debug3: preferred > > debug1: No more authentication methods to try. > > Permission denied (publickey,password). > > > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Ansible Project" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > To post to this group, send email to [email protected] > <javascript:>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/ansible-project/c776ec2d-c640-4e2e-bb50-ecbd24548673%40googlegroups.com. > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9356797d-107c-4190-97f6-b61a1fb07f51%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
