I did manage to get it to work - but it's really ugly :/ I had to change the ProxyCommand directive in the ssh config for the wildcard section to:
ProxyCommand sshpass -p 'reallybadpassword' ssh -A [email protected] 'nc -w 14400 %h %p' I guess Ansible has no way of overriding the ProxyCommand specified in the ssh_config file in order to use sshpass with the password specified in the inventory file? On Saturday, February 14, 2015 at 10:10:11 AM UTC-6, Ananda Debnath wrote: > > Thanks for looking. > > There are too many current processes dependent on passwords that I'm > migrating to Ansible - while converting to keys is partly underway, it > won't be complete for a while. > > There's also a second bootstrapping problem. I'm using Ansible to run > baremetal bringup scripts on xen hosts (doing double duty as the > jumpbox/bastion host above) which in turn creates the VM's from an image. I > cannot bake keys into the image and need to get them on there after they > boot up. Hence - a chicken and egg problem. How would I get the keys onto > the VMs? Xen hosts have numerous problems running Ansible scripts directly > because they run an old version of Python - so I don't think I can call the > authorized_key module on the host and have it inject them into the VMs. The > action would need to be triggered outside in a machine/vm that supports > Ansible - which in turn would need to tunnel into the VMs to do just this - > hence chicken and egg. > > Ultimately, the key pairs would be created and injected into the images > instead of the passwords we do today - but as I mention above, this won't > be for a while. > > On Friday, February 13, 2015 at 5:05:38 PM UTC-6, Michael Peters wrote: >> >> Not the answer you're looking for, but why don't you just use ssh >> keys? It's some minor work upfront with huge security and automation >> benefits easier. >> >> On Fri, Feb 13, 2015 at 3:51 PM, Ananda Debnath >> <[email protected]> wrote: >> > Does anyone know of an example to do this using password >> authentication? >> > >> > My inventory file has ansible_ssh_user and ansible_ssh_pass values set >> and >> > my ssh config file has password authentication set to yes. >> > >> > my.ssh.config >> > >> > Host 56.66.3.10 >> > User king >> > HostName 56.66.3.10 >> > ProxyCommand none >> > BatchMode yes >> > PasswordAuthentication yes >> > >> > # Also tried ssh -aY [email protected] 'nc -w 14400 %h %p' >> > Host * >> > ServerAliveInterval 60 >> > TCPKeepAlive yes >> > ProxyCommand ssh -AY [email protected] 'nc -w 14400 %h >> %p' >> > ControlMaster auto >> > ControlPath ~/.ssh/mux-%r@%h:%p >> > ControlPersist 15s >> > PasswordAuthentication yes >> > >> > But this isn't helping. I have a test role that applies to 56.66.3.10 >> first >> > and then other roles to the ones behind the bastion - redis-vm, etc. >> Neither >> > the bastion nor the vms behind it will let me through with passwords. >> > The ansible.cfg file looks like: >> > [defaults] >> > host_key_checking = False >> > # Tried both with and without this >> > transport=ssh >> > >> > [ssh_connection] >> > ssh_args = -F my.ssh.config >> > scp_if_ssh = True >> > control_path = ~/.ssh/mux-%%r@%%h:%%p >> > >> > The tail of the bastion login failure reads: >> > >> > debug2: key: /home/adebnath/.ssh/id_rsa ((nil)), >> > debug2: key: /home/adebnath/.ssh/id_dsa ((nil)), >> > debug2: key: /home/adebnath/.ssh/id_ecdsa ((nil)), >> > debug2: key: /home/adebnath/.ssh/id_ed25519 ((nil)), >> > debug1: Authentications that can continue: publickey,password >> > debug3: start over, passed a different list publickey,password >> > debug3: preferred >> > debug1: No more authentication methods to try. >> > Permission denied (publickey,password). >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Ansible Project" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > To post to this group, send email to [email protected]. >> > To view this discussion on the web visit >> > >> https://groups.google.com/d/msgid/ansible-project/c776ec2d-c640-4e2e-bb50-ecbd24548673%40googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ab427b16-ae81-4ea7-8153-bc2ba6c67c64%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
