So, I just ran into this again. And it's really really annoying. There are times when I'm configuring things that I need to use the ssh password. It's far simpler just to set the password in the inventory/host_vars file and leave it there, than to have to set it, then remember to remove it once pubkey auth is working.
I also can't think of why you would want to block pubkey authentication. Doesn't ssh automatically fall back to password auth if pubkey fails? Pubkey auth is much more secure, and I would think it should be preferred over password auth in all cases, even if you've specified a password. Or am I missing something? In any case, is there an ansible.cfg option I could set that would stop Ansible from setting the "PubkeyAuthentication=no" flag? On Wednesday, November 5, 2014 at 1:31:22 PM UTC-8, Matt Martz wrote: > > It is not specifically documented other than the code itself: > > > https://github.com/ansible/ansible/blob/d3c28fee8739c93821d4f639b2931f5a3592eb8e/lib/ansible/runner/connection_plugins/ssh.py#L90-L92 > > It was added in: > > > https://github.com/ansible/ansible/commit/d703f920775e8877b1fb9e2ae750a23bcc7e9534 > > Which dates the change back to v0.9 > > My recommendation is to not put ansible_ssh_pass in your inventory. > Instead just specify it as an argument (-k) on the command line the first > time you bootstrap a machine. That is what we do, and it seems to work out > pretty well. > > > On Wed, Nov 5, 2014 at 3:22 PM, David Reagan <[email protected] > <javascript:>> wrote: > >> Is that documented? I don't see it here: >> http://docs.ansible.com/intro_inventory.html#list-of-behavioral-inventory-parameters >> >> Any explanations on why? It seems counter intuitive to me. I would think >> we'd always want to use pubkey auth, and only use password auth if pubkey >> isn't available. >> >> --David Reagan >> >> On Wed, Nov 5, 2014 at 1:08 PM, Matt Martz <[email protected] <javascript:> >> > wrote: >> >>> If you have ansible_ssh_pass set, ansible explicitly sets "-o >>> PubkeyAuthentication=no" which disables the use of SSH public key auth. >>> >>> On Wed, Nov 5, 2014 at 2:35 PM, David Reagan <[email protected] >>> <javascript:>> wrote: >>> >>>> When I'm first setting up a vm, I need to set which user to use and the >>>> ssh and sudo passwords. >>>> >>>> So, my host file looks something like: >>>> >>>> [apache] >>>>> 192.168.77.2 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant >>>>> ansible_sudo_pass=vagrant >>>>> [mysql] >>>>> 192.168.77.3 ansible_ssh_user=vagrant ansible_ssh_pass=vagrant >>>>> ansible_sudo_pass=vagrant >>>>> >>>> >>>> The initial setup includes configuring ssh to use sshkey auth, block >>>> password auth, and adds my ssh pub key to the vagrant user. >>>> >>>> After that first run, my playbooks fail. >>>> >>>> >>>> ansible-playbook -i provisioning/vagrant.ansible.hosts --sudo >>>>> --limit="192.168.77.3" provisioning/play.testowncloud.yml >>>>> >>>>> PLAY [apache] >>>>> ***************************************************************** >>>>> skipping: no hosts matched >>>>> >>>>> PLAY [mysql] >>>>> ****************************************************************** >>>>> >>>>> GATHERING FACTS >>>>> *************************************************************** >>>>> fatal: [192.168.77.3] => SSH encountered an unknown error during the >>>>> connection. We recommend you re-run the command using -vvvv, which will >>>>> enable SSH debugging output to help diagnose the issue >>>>> >>>>> TASK: [aspects_mysql_server | include_vars {{ ansible_os_family >>>>> }}.yml] ******* >>>>> FATAL: no hosts matched or all hosts have already failed -- aborting >>>>> >>>>> >>>>> PLAY RECAP >>>>> ******************************************************************** >>>>> to retry, use: --limit >>>>> @/home/localuser/play.testowncloud.retry >>>>> >>>>> 192.168.77.3 : ok=0 changed=0 unreachable=1 >>>>> failed=0 >>>>> >>>> >>>> >>>> If I remove the *ansible_ssh_pass* variable from my hosts file, it >>>> starts working. >>>> >>>> Why is that? Shouldn't having the *ansible_ssh_pass* set not matter? >>>> >>>> >>>> In case it's useful, my /etc/ssh/sshd_config: >>>> >>>> # See the sshd_config(5) manpage for details on what options you can >>>>> set. >>>>> Protocol 2 >>>>> HostKey /etc/ssh/ssh_host_dsa_key >>>>> HostKey /etc/ssh/ssh_host_ecdsa_key >>>>> UsePrivilegeSeparation yes >>>>> AcceptEnv LANG LC_* >>>>> HostKey /etc/ssh/ssh_host_rsa_key >>>>> Port 22 >>>>> PubkeyAuthentication yes >>>>> ServerKeyBits 768 >>>>> PrintMotd no >>>>> AllowUsers otherusers localuser vagrant >>>>> PrintLastLog yes >>>>> HostbasedAuthentication no >>>>> LoginGraceTime 120 >>>>> SyslogFacility AUTH >>>>> X11DisplayOffset 10 >>>>> IgnoreRhosts yes >>>>> PasswordAuthentication no >>>>> TCPKeepAlive yes >>>>> KeyRegenerationInterval 3600 >>>>> UsePAM yes >>>>> LogLevel INFO >>>>> RhostsRSAAuthentication no >>>>> PermitEmptyPasswords no >>>>> PermitRootLogin no >>>>> Subsystem sftp /usr/lib/openssh/sftp-server >>>>> X11Forwarding yes >>>>> RSAAuthentication yes >>>>> ChallengeResponseAuthentication no >>>>> >>>> >>>> Both desktop and vm are Ubuntu 14.04. Using ansible devel branch >>>> current as of a couple weeks ago. >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected] <javascript:>. >>>> To post to this group, send email to [email protected] >>>> <javascript:>. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/7bcee974-eaf4-487d-b97f-a6f897395784%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/ansible-project/7bcee974-eaf4-487d-b97f-a6f897395784%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >>> >>> -- >>> Matt Martz >>> @sivel >>> sivel.net >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Ansible Project" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/ansible-project/AqMAoVRd6EM/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected] <javascript:>. >>> To post to this group, send email to [email protected] >>> <javascript:>. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/CAD8N0v_n96QpoJtek%2BTW1Yc%2BNAMCaCoa%3Dd3s0Y8Zp3YyoXSLcA%40mail.gmail.com >>> >>> <https://groups.google.com/d/msgid/ansible-project/CAD8N0v_n96QpoJtek%2BTW1Yc%2BNAMCaCoa%3Dd3s0Y8Zp3YyoXSLcA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to [email protected] >> <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/CANo%2B_AfTJQWFOeB%2BCUW2XFWW16Yf44uYe-XJSLRxO7K1v09WFw%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/ansible-project/CANo%2B_AfTJQWFOeB%2BCUW2XFWW16Yf44uYe-XJSLRxO7K1v09WFw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> For more options, visit https://groups.google.com/d/optout. >> > > > > -- > Matt Martz > @sivel > sivel.net > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/e43597c5-c21f-437b-bded-1dfec2f9c4e0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
