Hello, i already asked the support but they mean that 2FA is not supported yet. I tried it with Ansible Tower and only with Ansible but no way to make it work.
In my test environment i used two Debian 8.3 server with Duo Unix (https://duo.com/docs/duounix#linux-distribution-packages) I found that when i comment the line in /etc/ssh/sshd_config: AuthenticationMethods publickey,keyboard-interactive It works then, but it's necessary for Duo. The output of Tower: <192.168.1.22> ESTABLISH SSH CONNECTION FOR USER: ansible <192.168.1.22> SSH: EXEC ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=6448 -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=ansibleupd -o ConnectTimeout=10 -o ControlPath=/tmp/ansible_tower_s7mKlq/cp/ansible-ssh-%h-%p-%r -tt 192.168.1.22 '/bin/sh -c '"'"'( umask 22 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1456663535.16-219210006639418 `" && echo "` echo $HOME/.ansible/tmp/ansible-tmp-1456663535.16-219210006639418 `" )'"'"'' fatal: [192.168.1.22]: UNREACHABLE! => {"changed": false, "msg": "SSH encountered an unknown error. The output was:\nOpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/tmp/ansible_tower_s7mKlq/cp/ansible-ssh-192.168.1.22-22-ansible\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to 192.168.1.22 [192.168.1.22] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 9979 ms remain after connect\r\ndebug1: identity file /var/lib/awx/.ssh/id_rsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_dsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ecdsa type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ed25519 type -1\r\ndebug1: identity file /var/lib/awx/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5+deb8u1\r\ndebug1: match: OpenSSH_6.7p1 Debian-5+deb8u1 pat OpenSSH* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: load_hostkeys: loading entries for host \"[192.168.1.22]:22\" from file \"/var/lib/awx/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],[email protected],ssh-ed25519,ssh-rsa,ssh-dss\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]\r\ndebug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: [email protected],zlib,none\r\ndebug2: kex_parse_kexinit: [email protected],zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: kex_parse_kexinit: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],[email protected]\r\ndebug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: kex_parse_kexinit: none,[email protected]\r\ndebug2: kex_parse_kexinit: none,[email protected]\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: mac_setup: setup [email protected]\r\ndebug1: kex: server->client aes128-ctr [email protected] [email protected]\r\ndebug2: mac_setup: setup [email protected]\r\ndebug1: kex: client->server aes128-ctr [email protected] [email protected]\r\ndebug1: sending SSH2_MSG_KEX_ECDH_INIT\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: ECDSA bf:76:fe:be:e0:c7:93:96:2e:56:b6:91:72:8f:24:9b\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: put_host_port: [192.168.1.22]:22\r\ndebug3: load_hostkeys: loading entries for host \"[192.168.1.22]:22\" from file \"/var/lib/awx/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: load_hostkeys: loading entries for host \"[192.168.42.4]:6448\" from file \"/var/lib/awx/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type ECDSA in file /var/lib/awx/.ssh/known_hosts:13\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug1: Host '[192.168.42.4]:6448' is known and matches the ECDSA host key.\r\ndebug1: Found key in /var/lib/awx/.ssh/known_hosts:13\r\ndebug1: ssh_ecdsa_verify: signature correct\r\ndebug2: kex_derive_keys\r\ndebug2: set_newkeys: mode 1\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug2: set_newkeys: mode 0\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug2: key: /tmp/ansible_tower_s7mKlq/credential (0x7f656db6aa60),\r\ndebug2: key: /var/lib/awx/.ssh/id_rsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_dsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: publickey\r\ndebug3: start over, passed a different list publickey\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Offering RSA public key: /tmp/ansible_tower_s7mKlq/credential\r\ndebug3: send_pubkey_test\r\ndebug2: we sent a publickey packet, wait for reply\r\ndebug1: Server accepts key: pkalg ssh-rsa blen 277\r\ndebug2: input_userauth_pk_ok: fp 5b:ae:81:a1:27:f1:c8:26:40:f5:9e:bc:d7:77:f9:ef\r\ndebug3: sign_and_send_pubkey: RSA 5b:ae:81:a1:27:f1:c8:26:40:f5:9e:bc:d7:77:f9:ef\r\nAuthenticated with partial success.\r\ndebug2: key: /tmp/ansible_tower_s7mKlq/credential (0x7f656db6aa30),\r\ndebug2: key: /var/lib/awx/.ssh/id_rsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_dsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /var/lib/awx/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: keyboard-interactive\r\ndebug3: start over, passed a different list keyboard-interactive\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug1: No more authentication methods to try.\r\nPermission denied (keyboard-interactive).\r\n", "unreachable": true} to retry, use: --limit @ansible_apt.retry PLAY RECAP ********************************************************************* 192.168.1.22 : ok=0 changed=0 unreachable=1 failed=0 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ce2b2016-8db1-478d-95e7-e8760ff808f1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
