Hullo Julian.

Sorry, can't figure out how to reply to your reply. Anyway: if you have the 
ability to do so, adjust the sshd config on the target to allow root users 
to log in, but only from localhost ( or ::1). This is exactly as 
secure as allowing su or sudo, so does not breach policy.

Then set up ssh port forwarding via a non-root account on the target host. 
It should forward local connections on the controller host on (say) port 
2222, to port 22 on localhost on the target. Finally, do your rsync to the 
host by connecting to the local port 2222. That will end up connecting 
across the tunnel to a root login on localhost on the target. From the 
target host's point of view, it will be a local connection and thus 

I have no idea whether Ansible can cope with such a two-step, but it's a 
relatively common pattern for ssh generally. Assuming you are an ordinary 
user on the controller and there is an ordinary user fred on the target 

   ssh -N -f -L 2222:localhost:22 fred@targethost


   ssh -p 2222 root@localhost


   rsync -avz -e "ssh -p 2222" root@localhost:/backups/ /backups/

Not sure about that rsync command; you'd have to read the man page for 
getting ssh to use a different port. The point is that if you connect to 
TCP port 2222 on the controller, you are actually connecting to TCP port 22 
on the target.

Put your (the controller user's) public key (not fred's!) in the target 
root user's ~/.ssh/authorized keys and in fred's ~/.ssh/authorized keys and 
the whole thing can be passwordless.

If you are unable to get ssh root logins to localhost on the target, then 
I'm stumped too :-)

Regards, K.

On Friday, April 6, 2018 at 10:30:12 PM UTC+10, Julian Santander wrote:
> Hello,
>  I hope someone could offer some guidance on how to solve a scenario I'm 
> trying to automate.
> The objective is to obtain a back-up of a directory in the target machine 
> (managed) and needs to be saved to the controller host (where ansible runs).
> Now, the problems:
>    1. I feel I cannot use synchronize as it has its own rules for access 
>    (requiring ssh public keys unlike the rest of the ansible modules).
>    2. The back-up needs to be done as a privileged account (but ansible 
>    must login as an unprivileged user able to do sudo or su). This kind of 
>    prevents me from using a local_action/shell doing "sshpass -p XXXX 
>    privileged@host "cd directory_to_back_up && tar -czf - *" > 
>    local_backup_file.tar.gz
>    3. There's not enough space in the target machine to create a tar file 
>    of the directory that could later be *fetched*.
>    4. The size of the back-up is huge, precluding writing a tar file to 
>    stdout to be stored in a register variable that could be later be written 
>    locally.
> Any ideas on how to handle this? 
> So far I suspect I might need to write my own module, perhaps looking into 
> how fetch and command are handled to write the output of a command to a 
> local file without registering anything.
> Thanks in advance and best regards
> Julian

You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

Reply via email to