Hi! My very limited knowledge of Ansible says it needs SFTP or at least SCP subsystems on the controlled side. Your company firewall allows only running ssh interactively - most probably it's not sufficient for Ansible. M.
On Wed, Nov 28, 2018 at 6:49 AM Easy King <[email protected]> wrote: > My firm's policy has a constraint of passing "-t bash" to ssh for > connectivity else it would fail [This could be to prevent anyone from > firing remote commands]. > > > Below ssh command works fine: > > ssh -i /opt/cert/id_rsa_prod targetuser@targethost -t bash > > > Inorder to make ansible's ssh to include "-t bash" argument I try to > inject "-t bash" to ansible ssh by specifying the same in ansible inventory > host file as below: > > > more host.txt > > [target*] > > targethost ansible_python_interpreter=/opt/bin/python2.7 > ansible_ssh_extra_args="-t bash" ansible_ssh_common_args="-t" > ansible_ssh_private_key_file=/opt/cert/id_rsa_prod USER_RUN=targetuser > > > > When I run this ansible playbook it fails to connect to target host and > throws the below error output: > > 23:53:42 ESTABLISH SSH CONNECTION FOR USER: targetuser > > 23:53:42 SSH: EXEC ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s > -o 'IdentityFile="/opt/cert/id_rsa_prod"' -o > KbdInteractiveAuthentication=no -o > PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey > -o PasswordAuthentication=no -o User=targetuser -o ConnectTimeout=10 -t > bash -o ControlPath=/home/sourceuser/.ansible/cp/e8313d01d6 targethost > '/bin/sh -c '"'"'echo ~targetuser && sleep 0'"'"'' > > 23:53:42 (255, '', 'OpenSSH_7.7p1 (CentrifyDC build 5.5.1-395) , OpenSSL > 1.0.2o-fips 27 Mar 2018\r\ndebug1: Reading configuration data > /home/sourceuser/.ssh/config\r\ndebug1: Reading configuration data > /etc/centrifydc/ssh/ssh_config\r\ndebug1: /etc/centrifydc/ssh/ssh_config > line 3: Applying options for *\r\ndebug1: auto-mux: Trying existing > master\r\ndebug1: Control socket "/home/sourceuser/.ansible/cp/e8313d01d6" > does not exist\r\ndebug2: resolving "bash" port 22\r\nssh: Could not > resolve hostname bash: Name or service not known\r\n') > > 23:53:42 fatal: [targethost]: UNREACHABLE! => { > > 23:53:42 "changed": false, > > 23:53:42 "msg": "Failed to connect to the host via ssh: OpenSSH_7.7p1 > (CentrifyDC build 5.5.1-395) , OpenSSL 1.0.2o-fips 27 Mar 2018\r\ndebug1: > Reading configuration data /home/sourceuser/.ssh/config\r\ndebug1: Reading > configuration data /etc/centrifydc/ssh/ssh_config\r\ndebug1: > /etc/centrifydc/ssh/ssh_config line 3: Applying options for *\r\ndebug1: > auto-mux: Trying existing master\r\ndebug1: Control socket > "/home/sourceuser/.ansible/cp/e8313d01d6" does not exist\r\ndebug2: > resolving "bash" port 22\r\nssh: Could not resolve hostname bash: Name or > service not known\r\n", > > 23:53:42 "unreachable": true > > 23:53:42 } > > 23:53:42 to retry, use: --limit @/opt/scripts/myfolder/site.retry > > 23:53:42 > > 23:53:42 PLAY RECAP > > 23:53:42 targethost : ok=0 changed=0 unreachable=1 failed=0 > > > ANSIBLE VERSION > > ansible --version > > ansible 2.7.1 > > config file = /etc/ansible/ansible.cfg > > configured module search path = [u'/home/user/.ansible/plugins/modules', > u'/usr/share/ansible/plugins/modules'] > > ansible python module location = /usr/lib/python2.7/site-packages/ansible > > executable location = /bin/ansible > > python version = 2.7.5 (default, Sep 12 2018, 05:31:16) [GCC 4.8.5 20150623 > (Red Hat 4.8.5-36)] > > > OS / ENVIRONMENT > > Linux x86-64 > > STEPS TO REPRODUCE > > ansible ping command > > > ACTUAL RESULTS > > SSH connection fails because ansible is not constructing the ssh arguments > correctly. *The "-t bash" should placed after the user@target while > ansible is putting it before user@target.* > > > I m looking for a workaround as this is critical for us. I do not wish to > modify any global cfg [configuration] files as other playbook may get > affected. > > > Please help ! > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/6092f244-7611-48dc-87cd-2a7caae13b3a%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/6092f244-7611-48dc-87cd-2a7caae13b3a%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- MZ -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAJLNCaQ8%3Dt%3Df7QXXTo4oHR9kZhtFb98kqS8%3DD_5eGP3GEwbsPw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
