[ansible-project] Re: thoroughly stumped on ssh key issue; ansible not reading /root/.ssh/config? (missing something simple?).

[David Proffer]

I am having a similar problem to Jason's example. Using ansible version 
1.8.4 installed via brew on OS X 10.10.2 machine, ansible is only able to 
access machines that have root ssh login enabled and only if I use the -k 
option in ansible. Using -k option, ansible logs in as root and works. If I 
try a different user using the -u option on ansible command line it is 
ignored. I tried the -c ssh suggestion of Matt, no difference for 
passwordless attempt, Ansible does ask for another program to be installed 
if you use the -c ssh -k , I did not go down this path, as entering a 
password is not my goal. The following playbook works and shows that remote 
user is root if I use -k option, playbook will fail with similar log to 
Jason's above with no -k:

---
- hosts: ubuntu14
  gather_facts: False
  tasks:
  - name: who am i
    command: whoami
    register:  catout
  - debug: var=catout.stdout_lines

I am able to use this paramiko 1.15.2 python code both as root and nonroot 
user to connect to this same Ubuntu 14.04 machine from OS X:

import paramiko
ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect('ubuntu14',username='user', password='password')
stdin, stdout, stderr = ssh.exec_command('whoami')
stdout.readlines()

note: I have to use the 
set_missing_host_key_policy(paramiko.AutoAddPolicy()) to get the code to 
run, solving a 'not found in known_hosts' error that seems to be known 
about paramiko for some time.

I am a total n00b to ansible.

-vvvv output for the following execution: ansible-playbook playbook.yml 
 -vvvv

<ubuntu14>
<ubuntu14>
<ubuntu14> ConnectTimeout=10 PasswordAuthentication=no 
KbdInteractiveAuthentication=no User=root 
ControlPath=/Users/dproffer/.ansible/cp/ansible-ssh-%h-%p-%r 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey 
ControlMaster=auto Port=22 ControlPersist=60s
fatal: [ubuntu14] => SSH encountered an unknown error. The output was:
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/dproffer/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 53: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket 
"/Users/dproffer/.ansible/cp/ansible-ssh-ubuntu14-22-root" does not exist
debug2: ssh_connect: needpriv 0
debug1: Connecting to ubuntu14 [192.168.1.150] port 22.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: timeout: 10000 ms remain after connect
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/dproffer/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/dproffer/.ssh/id_rsa type 1
debug1: identity file /Users/dproffer/.ssh/id_rsa-cert type -1
debug1: identity file /Users/dproffer/.ssh/id_dsa type -1
debug1: identity file /Users/dproffer/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version 
OpenSSH_6.6.1p1 Ubuntu-8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-8 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "ubuntu14" from file 
"/Users/dproffer/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file 
/Users/dproffer/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: 
ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: 
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: 
ssh-rsa-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-rsa,ssh-dss-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-dss
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: z...@openssh.com,zlib,none
debug2: kex_parse_kexinit: z...@openssh.com,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: 
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,chacha20-poly1...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
debug2: kex_parse_kexinit: 
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: 
hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit: none,z...@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5-...@openssh.com
debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com 
z...@openssh.com
debug2: mac_setup: found hmac-md5-...@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com 
z...@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 507/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
debug3: load_hostkeys: loading entries for host "ubuntu14" from file 
"/Users/dproffer/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file 
/Users/dproffer/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "192.168.1.150" from file 
"/Users/dproffer/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file 
/Users/dproffer/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'ubuntu14' is known and matches the RSA host key.
debug1: Found key in /Users/dproffer/.ssh/known_hosts:2
debug2: bits set: 491/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/dproffer/.ssh/id_rsa (0x7ffc59c16020),
debug2: key: /Users/dproffer/.ssh/id_dsa (0x0),
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: ,gssapi-keyex,hostbased,publickey
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/dproffer/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/dproffer/.ssh/id_dsa
debug3: no such identity: /Users/dproffer/.ssh/id_dsa: No such file or 
directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).
-------
Thanks!

On Friday, February 6, 2015 at 3:33:32 PM UTC-8, jason cafarelli wrote:
>
> Issue:
> PAsswordless ssh works; ansible does not; comes back with AUTH failed. 
>  Almost looks like my /root/.ssh/config is not being read by ansible?
>
> Workarounds:
> setting key manually in /etc/ansible/ansible.cfg or using flag to specify 
> key in command line both work
>
> Kickstart/cobbler install with pre shared public key that is stored in 
> rsa_compute_node and rsa_compute_node.pub on the mgmt node.
>
> ie:
> [root@mgmt2 ssh]# ls /root/.ssh/
> authorized_keys  id_rsa          id_rsa_compute.pub  id_rsa_mgmt.pub 
>  known_hosts
> config           id_rsa_compute  id_rsa_mgmt         id_rsa.pub
> [root@mgmt2 ssh]#
>
>
> Config file setup for certian hosts and using my custom ID file:
>
> [root@mgmt2 ssh]# cat /root/.ssh/config
> Host 192.168.* 
> StrictHostKeyChecking=no
> IdentityFile ~/.ssh/id_rsa_compute
>
> ssh works without password
> [root@mgmt2 ~]# ssh 192.168.100.147
> [root@u-eth ~]#
>
> Ansible fails:
> [root@mgmt2 ssh]# ansible compute -m ping
>  [WARNING]: The version of gmp you have installed has a known issue 
> regarding
> timing vulnerabilities when used with pycrypto. If possible, you should 
> update
> it (i.e. yum update gmp).
>
> 192.168.100.103 | FAILED => FAILED: Authentication failed.
> 192.168.100.105 | FAILED => FAILED: Authentication failed.
> 192.168.100.101 | FAILED => FAILED: Authentication failed.
> 192.168.100.104 | FAILED => FAILED: Authentication failed.
> 192.168.100.102 | FAILED => FAILED: Authentication failed.
> 192.168.100.107 | FAILED => FAILED: Authentication failed.
> 192.168.100.110 | FAILED => FAILED: Authentication failed.
> 192.168.100.106 | FAILED => FAILED: Authentication failed.
> 192.168.100.108 | FAILED => FAILED: Authentication failed.
> 192.168.100.109 | FAILED => FAILED: Authentication failed.
> 192.168.100.114 | FAILED => FAILED: Authentication failed.
> 192.168.100.113 | FAILED => FAILED: Authentication failed.
> 192.168.100.111 | FAILED => FAILED: Authentication failed.
> 192.168.100.112 | FAILED => FAILED: Authentication failed.
> 192.168.100.115 | FAILED => FAILED: Authentication failed.
> 192.168.100.120 | FAILED => FAILED: Authentication failed.
> 192.168.100.119 | FAILED => FAILED: Authentication failed.
> 192.168.100.117 | FAILED => FAILED: Authentication failed.
> 192.168.100.116 | FAILED => FAILED: Authentication failed.
> 192.168.100.118 | FAILED => FAILED: Authentication failed.
> 192.168.100.121 | FAILED => FAILED: Authentication failed.
> 192.168.100.123 | FAILED => FAILED: Authentication failed.
> 192.168.100.125 | FAILED => FAILED: Authentication failed.
> 192.168.100.122 | FAILED => FAILED: Authentication failed.
> 192.168.100.124 | FAILED => FAILED: Authentication failed.
> 192.168.100.126 | FAILED => FAILED: Authentication failed.
> 192.168.100.129 | FAILED => FAILED: Authentication failed.
> 192.168.100.128 | FAILED => FAILED: Authentication failed.
> 192.168.100.130 | FAILED => FAILED: Authentication failed.
> 192.168.100.127 | FAILED => FAILED: Authentication failed.
> 192.168.100.134 | FAILED => FAILED: Authentication failed.
> 192.168.100.131 | FAILED => FAILED: Authentication failed.
> 192.168.100.132 | FAILED => FAILED: Authentication failed.
> 192.168.100.135 | FAILED => FAILED: Authentication failed.
> 192.168.100.133 | FAILED => FAILED: Authentication failed.
> 192.168.100.137 | FAILED => FAILED: Authentication failed.
> 192.168.100.139 | FAILED => FAILED: Authentication failed.
> 192.168.100.138 | FAILED => FAILED: Authentication failed.
> 192.168.100.140 | FAILED => FAILED: Authentication failed.
> 192.168.100.136 | FAILED => FAILED: Authentication failed.
> 192.168.100.142 | FAILED => FAILED: Authentication failed.
> 192.168.100.143 | FAILED => FAILED: Authentication failed.
> 192.168.100.144 | FAILED => FAILED: Authentication failed.
> 192.168.100.145 | FAILED => FAILED: Authentication failed.
> 192.168.100.141 | FAILED => FAILED: Authentication failed.
> 192.168.100.146 | FAILED => FAILED: Authentication failed.
> 192.168.100.147 | FAILED => FAILED: Authentication failed.
> 192.168.100.148 | success >> {
>     "changed": false,
>     "ping": "pong"
> }
>
> The last node; i ran ssh-copy-id as a sanity test.
>
> Version:
> [root@mgmt2 ~]# rpm -qa | grep ans
> dejavu-sans-fonts-2.30-2.el6.noarch
> ansible-1.8.1-1.el6.noarch
> [root@mgmt2 ~]#
>
>
> [root@--eth .ssh]# service sshd stop; /usr/sbin/sshd -p 22 -D -d -e
> debug1: sshd version OpenSSH_5.3p1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-p'
> debug1: rexec_argv[2]='22'
> debug1: rexec_argv[3]='-D'
> debug1: rexec_argv[4]='-d'
> debug1: rexec_argv[5]='-e'
> Set /proc/self/oom_score_adj from 0 to -1000
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: Server will not fork when running in debugging mode.
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug1: sshd version OpenSSH_5.3p1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: inetd sockets after dupping: 3, 3
> Connection from 192.168.1.2 port 52557
> debug1: Client protocol version 2.0; client software version paramiko_1.7.5
> debug1: no match: paramiko_1.7.5
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.3
> debug1: permanently_set_uid: 74/74
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: client->server aes128-ctr hmac-sha1 none
> debug1: kex: server->client aes128-ctr hmac-sha1 none
> debug1: expecting SSH2_MSG_KEXDH_INIT
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user root service ssh-connection method 
> publickey
> debug1: attempt 0 failures 0
> debug1: PAM: initializing for "root"
> debug1: PAM: setting PAM_RHOST to "192.168.1.2"
> debug1: PAM: setting PAM_TTY to "ssh"
> debug1: temporarily_use_uid: 0/0 (e=0/0)
> debug1: trying public key file /root/.ssh/authorized_keys
> debug1: fd 4 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> debug1: temporarily_use_uid: 0/0 (e=0/0)
> debug1: trying public key file /root/.ssh/authorized_keys2
> debug1: fd 4 clearing O_NONBLOCK
> debug1: restore_uid: 0/0
> Failed publickey for root from 192.168.1.2 port 52557 ssh2
> Connection closed by 192.168.1.2
> debug1: do_cleanup
> debug1: do_cleanup
> debug1: PAM: cleanup
> [root@urika-xa46-eth .ssh]# rm /root/.ssh/authorized_keys2
> rm: remove regular file `/root/.ssh/authorized_keys2'? y
> [root@--eth .ssh]#
>
> LEt me know if you need anymore info,
>
> Thanks!
>
> -Jason
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/bf370d29-8cba-4cd6-a527-437ac99b7aab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.