Re: [ansible-project] Re: Encrypted SSH Key leads to Invalid format
On Tue, 18 Oct 2022 at 10:02, jer...@gmail.com wrote: > > So what is the right approach to secure ssh private key ? That depends entirely on your situation and its security requirements. This can mean anything, from not encrypting anything, to fancy HSMs, etc. In any case, it's not something specific to ansible I would say. Dick -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF8BbLa1WMSU3bc4QowaoCJGick%2B9SHJSRdA%2B%2BGt2FgL1ADsjw%40mail.gmail.com.
Re: [ansible-project] Re: Encrypted SSH Key leads to Invalid format
So what is the right approach to secure ssh private key ?
On Monday, October 3, 2022 at 3:11:14 PM UTC+3 dnmv...@gmail.com wrote:
> On Mon, 3 Oct 2022 at 14:01, Todd Lewis wrote:
> >
> > I don't think what you're doing is expected to work.
> > ansible_ssh_private_key_file is the path to a private key file used by
> ssh. That you happen to point it at a file in {{inventory_dir}}/group_vars
> doesn't somehow make ssh able to decrypt ansible-vault encrypted files.
>
> See also https://github.com/ansible/ansible/issues/22382
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/3d569194-1521-44be-8d66-276bd830bb6an%40googlegroups.com.
Re: [ansible-project] Re: Encrypted SSH Key leads to Invalid format
On Mon, 3 Oct 2022 at 14:01, Todd Lewis wrote:
>
> I don't think what you're doing is expected to work.
> ansible_ssh_private_key_file is the path to a private key file used by ssh.
> That you happen to point it at a file in {{inventory_dir}}/group_vars doesn't
> somehow make ssh able to decrypt ansible-vault encrypted files.
See also https://github.com/ansible/ansible/issues/22382
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZRL%2BTf6QOTMLf9wd1PTYtcjz-%2BiDq9rPJd%3D_VM%2BnxOYQ%40mail.gmail.com.
[ansible-project] Re: Encrypted SSH Key leads to Invalid format
I don't think what you're doing is expected to work.
*ansible_ssh_private_key_file* is the path to a private key file used by
ssh. That you happen to point it at a file in *{{inventory_dir}}/group_vars*
doesn't somehow make ssh able to decrypt ansible-vault encrypted files.
On Sunday, October 2, 2022 at 7:15:34 AM UTC-4 jer...@gmail.com wrote:
> I'm using in inventory/group_vars/all.yaml:
>
> *ansible_ssh_private_key_file: '{{inventory_dir}}/group_vars/path/to/key'*
>
> This Key is working well when it's plain text
> When I encrypt the file with ansible-vault, i get the error:
>
>
>
> *Load key
> "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid
> formatroot @ SOME_IP: Permission denied (publickey,password).
> unreachable: true*
>
> I am using $*ANSIBLE_VAULT_PASSWORD_FILE *to decrypt everything without
> asking for password.
> I have other encrypted secrets in all.yaml that get decrypted.
>
> What am I missing ?
>
> Thanks!
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/34ffe093-d35c-41d3-9579-90aed8540ce8n%40googlegroups.com.
Re: [ansible-project] Re: Encrypted SSH Key leads to Invalid format
This sounds like the key is cached by some agent. Investigate that.
On Mon, 3 Oct 2022 at 10:41, jer...@gmail.com wrote:
> Hmm, it seems it's not an ansible issue, when i decrypt the key and try it
> works. Then encrypting the key, it still works. After few minutes, it stop
> working...
> From ansible on ubuntu 18.04 (python 3.6) to target 20.04
>
> #: ansible --version
> [DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
> controller starting with Ansible 2.12. Current version: 3.6.9 (default, Jun
> 29 2022, 11:45:57) [GCC
> 8.4.0]. This feature will be removed from ansible-core in version 2.12.
> Deprecation warnings can be disabled by setting deprecation_warnings=False
> in ansible.cfg.
> /home/user/.local/lib/python3.6/site-packages/ansible/parsing/vault/__init__.py:44:
> CryptographyDeprecationWarning: Python 3.6 is no longer supported by the
> Python core team. Therefore, support for it is deprecated in cryptography
> and will be removed in a future release.
> from cryptography.exceptions import InvalidSignature
> ansible [core 2.11.12]
> config file = /home/user/projects/ansible/ansible.cfg
> configured module search path = ['/home/user/.ansible/plugins/modules',
> '/usr/share/ansible/plugins/modules']
> ansible python module location =
> /home/user/.local/lib/python3.6/site-packages/ansible
> ansible collection location =
> /home/user/.ansible/collections:/usr/share/ansible/collections
> executable location = /home/user/.local/bin/ansible
> python version = 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC 8.4.0]
> jinja version = 3.0.3
> libyaml = True
>
> On Sunday, October 2, 2022 at 11:02:50 PM UTC+3 d...@linder.org wrote:
>
>> Can you provide a minimal Ansible playbook with a vaulted variable file
>> to see if we can recreate it or see anything amiss?
>>
>> The error message you're showing states "root @ SOME_IP: Permission
>> denied (publickey,password)" which doesn't seem to be ansible-vault related.
>>
>> On Sunday, October 2, 2022 at 6:15:34 AM UTC-5 jer...@gmail.com wrote:
>>
>>> I'm using in inventory/group_vars/all.yaml:
>>>
>>> *ansible_ssh_private_key_file:
>>> '{{inventory_dir}}/group_vars/path/to/key'*
>>>
>>> This Key is working well when it's plain text
>>> When I encrypt the file with ansible-vault, i get the error:
>>>
>>>
>>>
>>> *Load key
>>> "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid
>>> formatroot @ SOME_IP: Permission denied (publickey,password).
>>> unreachable: true*
>>>
>>> I am using $*ANSIBLE_VAULT_PASSWORD_FILE *to decrypt everything without
>>> asking for password.
>>> I have other encrypted secrets in all.yaml that get decrypted.
>>>
>>> What am I missing ?
>>>
>>> Thanks!
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-project+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/533f9f4b-bde3-4347-9087-0f5cf4503c09n%40googlegroups.com
>
> .
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLYWErHGywtWV6NJWDYiN4jO%3DoOnS1g%3DDVPh_4bPjFXucA%40mail.gmail.com.
[ansible-project] Re: Encrypted SSH Key leads to Invalid format
Hmm, it seems it's not an ansible issue, when i decrypt the key and try it
works. Then encrypting the key, it still works. After few minutes, it stop
working...
>From ansible on ubuntu 18.04 (python 3.6) to target 20.04
#: ansible --version
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the
controller starting with Ansible 2.12. Current version: 3.6.9 (default, Jun
29 2022, 11:45:57) [GCC
8.4.0]. This feature will be removed from ansible-core in version 2.12.
Deprecation warnings can be disabled by setting deprecation_warnings=False
in ansible.cfg.
/home/user/.local/lib/python3.6/site-packages/ansible/parsing/vault/__init__.py:44:
CryptographyDeprecationWarning: Python 3.6 is no longer supported by the
Python core team. Therefore, support for it is deprecated in cryptography
and will be removed in a future release.
from cryptography.exceptions import InvalidSignature
ansible [core 2.11.12]
config file = /home/user/projects/ansible/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules',
'/usr/share/ansible/plugins/modules']
ansible python module location =
/home/user/.local/lib/python3.6/site-packages/ansible
ansible collection location =
/home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/user/.local/bin/ansible
python version = 3.6.9 (default, Jun 29 2022, 11:45:57) [GCC 8.4.0]
jinja version = 3.0.3
libyaml = True
On Sunday, October 2, 2022 at 11:02:50 PM UTC+3 d...@linder.org wrote:
> Can you provide a minimal Ansible playbook with a vaulted variable file to
> see if we can recreate it or see anything amiss?
>
> The error message you're showing states "root @ SOME_IP: Permission denied
> (publickey,password)" which doesn't seem to be ansible-vault related.
>
> On Sunday, October 2, 2022 at 6:15:34 AM UTC-5 jer...@gmail.com wrote:
>
>> I'm using in inventory/group_vars/all.yaml:
>>
>> *ansible_ssh_private_key_file: '{{inventory_dir}}/group_vars/path/to/key'*
>>
>> This Key is working well when it's plain text
>> When I encrypt the file with ansible-vault, i get the error:
>>
>>
>>
>> *Load key
>> "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid
>> formatroot @ SOME_IP: Permission denied (publickey,password).
>> unreachable: true*
>>
>> I am using $*ANSIBLE_VAULT_PASSWORD_FILE *to decrypt everything without
>> asking for password.
>> I have other encrypted secrets in all.yaml that get decrypted.
>>
>> What am I missing ?
>>
>> Thanks!
>>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/533f9f4b-bde3-4347-9087-0f5cf4503c09n%40googlegroups.com.
[ansible-project] Re: Encrypted SSH Key leads to Invalid format
Can you provide a minimal Ansible playbook with a vaulted variable file to
see if we can recreate it or see anything amiss?
The error message you're showing states "root @ SOME_IP: Permission denied
(publickey,password)" which doesn't seem to be ansible-vault related.
On Sunday, October 2, 2022 at 6:15:34 AM UTC-5 jer...@gmail.com wrote:
> I'm using in inventory/group_vars/all.yaml:
>
> *ansible_ssh_private_key_file: '{{inventory_dir}}/group_vars/path/to/key'*
>
> This Key is working well when it's plain text
> When I encrypt the file with ansible-vault, i get the error:
>
>
>
> *Load key
> "/home/user/projects/ansible/inventory/group_vars/path/to/key": invalid
> formatroot @ SOME_IP: Permission denied (publickey,password).
> unreachable: true*
>
> I am using $*ANSIBLE_VAULT_PASSWORD_FILE *to decrypt everything without
> asking for password.
> I have other encrypted secrets in all.yaml that get decrypted.
>
> What am I missing ?
>
> Thanks!
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/5635aeb8-5db3-4e28-a8eb-8a5ea2f98640n%40googlegroups.com.
