I would like to ask a question that might not really have an answer but it will save my life.
So yesterday I started using google-authenticator for a second factor authentication on all my servers.
I am configuring all my hosts with Ansible so it is very important for me to have connection from it obviously, so, what I did, was I added this line to my /etc/pam.d/ssh file
auth [success=done default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
which I think returns success if I meet the rules I added in /etc/security/access-local.conf
#localhost doesn't need two step verification
+ : ALL : <<localnetworkip>>/24
+ : ALL : LOCAL
#All other hosts need two step verification
- : ALL : ALL
So I am allowing any machine from my local network. This work when I try to ssh from my ansible to the host (it doesn't ask me for verification code) but when I try to run an ansible playbook on the same local IP I get:
fatal: [Host]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (keyboard-interactive).", "unreachable": true}
I think Ansible doesn't know how to handle keyboard-interaction, has anyone managed to bypass it?
Thank you
So I figured out how to bypass this for my case at least.
I added the following rule at the end in /etc/ssh/sshd_config
Match Address <<localnetworkip>>/24
AuthenticationMethods publickey keyboard-interactive
So Google authentication is not mandatory anymore from internal network
Related
good day.
I generated ssh-keygen via user not in root and I copied it to my remote server. I can ssh the remote server without asking for a password in the user. As far as I read from the documentations it needs to have generated ssh-key in root in order to run commands like this:
ansible all -m ping
Is there a way that I can get to this successfully without using root?
For now, I get this error:
"msg": "Failed to connect to the host via ssh: <username>#192.x.y.z: Permission denied (publickey,password).",
Friends,
I am trying to run some ansible tasks against an EC2 instance and getting the following error:
fatal: [ubuntu]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to
the host via ssh: ssh: connect to host 34.218.130.84 port 22:connection timed out",
"unreachable": true}
I think, the problem is related to Ansible configuration because I tryed connecting with the instance via Putty using the same IP, username and pem-file and it worked just fine.
This is how my inventory file looks like:
[brt]
ubuntu ansible_ssh_host=34.218.130.84
ansible_ssh_private_key_file=/home/mjgoncalves/ansible/chave/aws-ansible.pem
[brt:vars]
ansible_ssh_private_key_file=/home/mjgoncalves/ansible/chave/aws-ansible.pem
ansible_ssh_host=34.218.130.84
ansible_ssh_user=username
ansible_ssh_pass=passowrd
ansible_become=yes
ansible_become_method=sudo
ansible_become_pass=password
ansible_connection=ssh
...
Any idea what I may be missing?
The "ssh" in the variable names has been deprecated. You should use ansible_host instead of ansible_ssh_host (same for username, password etc., but not for the ansible_ssh_private_key_file).
The IP in the message (connect to host 34.228.140.94) is not the same as in your inventory, so it seems that it does not take the IP from the variable, or you are overwriting it somewhere else.
I've been at this all morning, and I've seen multiple posts about this error in other places, but none of the solutions seem to be working for me at this point.
I'm playing around with Ansible and trying to setup my inventory + hosts for this project.
For my hosts file I have (/etc/ansible/hosts):
[test-servers]
x.x.x.x
For my inventory I have (/etc/ansible/inventory.txt):
ansible-target ansible_ssh_host=x.x.x.x ansible_user=user ansible_ssh_pass=password
But when I try to run ansible -m ping all I get:
x.x.x.x | UNREACHABLE! => {
"changed": false,
"msg": Failed to connect to the host via ssh: user#x.x.x.x: Permission denied (publickey,password,keyboard-interacgive.\r\n"
"unreachable":true
}
However, I get a pong response successfully when I run:
ansible x.x.x.x -m ping -i /etc/ansible/inventory.txt
Anyone have any idea what this might be?
Thanks in advance.
Found the solution. Needed to have it prompt me for a password to setup the initial Ansible SSH configuration.
Ansible: Permission denied (publickey, password)
I am trying to connect to my windows computer using OpenSSH and Ansible.
I am able to connect using regular ssh, but when I try to connect using Ansible, I get pretty much the same error everytime I change something.
I've also tried running Ansible as root and still nothing
fatal: [IVU]: UNREACHABLE! => {"changed": false, "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the remote directory. Consider changing the remote temp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"` echo /tmp/ansible-tmp-1502794936.2073953-164132649383245 `\" && echo ansible-tmp-1502794936.2073953-164132649383245=\"` echo /tmp/ansible-tmp-1502794936.2073953-164132649383245 `\" ), exited with result 1", "unreachable": true}
I've tried to change the ssh_args in ansible.cfg to ssh_args= -o ControlMaster=no and no change to the output was made.
I've tried to change the executable in the ansible.cfg to C:/Windows/System32/cmd.exe and I got the same error
I've tried changing the remote_dir=/tmp/ and still nothing.
My ansible inventory is:
[IVU]
IVU ansible_host=**IP**
[IVU:vars]
ansible_port=22
ansible_user=**user**
ansible_ssh_pass=**pass**
ansible_ssh_private_key_file=** Keyfile **
It seems like it's failing before even running any tasks, but from the openssh logs on the windows computer I see no difference when ansible connects to it and when I ssh into it.
3724 09:27:38:720 error: Couldn't create pid file "C:\\Program Files\\OpenSSH\\sshd.pid": Permission denied
3724 09:27:41:376 Accepted publickey for **User** from **IP** port 42700 ssh2: RSA SHA256:clNmiKxygl/TLEb5Ob4lZs6JqztoQyxOsjMoHQ2HYgo
3724 09:27:58:533 Received disconnect from **IP** port 42700:11: disconnected by user
3724 09:27:58:533 Disconnected from user **User** **IP** port 42700
3360 09:28:41:398 error: Couldn't create pid file "C:\\Program Files\\OpenSSH\\sshd.pid": Permission denied
3360 09:28:41:616 Accepted publickey for **User** from **IP** port 42704 ssh2: RSA SHA256:clNmiKxygl/TLEb5Ob4lZs6JqztoQyxOsjMoHQ2HYgo
3360 09:28:41:741 Received disconnect from **IP** port 42704:11: disconnected by user
3360 09:28:41:741 Disconnected from user **User** **IP** port 42704
The 9:27 is when I'm connecting using ssh and the 9:28 is when ansible connects.
Is there something I'm missing that I need to change in order for Ansible to work with openSSH on windows?
I figured out a solution by using a reverse ssh tunnel.
I abandoned the idea of trying to use the ssh ansible module with windows since Windows simply doesn't play nicely with it unless you have the windows 10 update. I decided to use the winrm ansible module instead.
What I did is I connected the windows computer to the computer running Ansible by opening a reverse SSH tunnel by using the command:
ssh -p5983 -R 5982:localhost:5986 **my_user**#**my_ip**
For my purposes I had to port forward because my computer was on a separate vlan than the windows computer
Then in Ansible I specified that the host is localhost at port 5982.
This is about as good of a solution for when working with openssh and windows, at least until Ansible supports openssh on windows.
I am testing ansible (developer build) to connect to a windows machine.
ansible 2.0.0 (devel d1b98ec776)
The following command fails
ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Error is as below
bash-4.1$ ansible inh-jnambood-dt.india.mentorg.com -m win_ping -vvvv
Using /etc/ansible/ansible.cfg as config file
Loaded callback minimal of type stdout, v2.0
<inh-jnambood-dt.india.mentorg.com> ESTABLISH WINRM CONNECTION FOR USER: jnambood#MGC.MENTORG.COM on PORT 5985 TO inh-jnambood-dt.india.mentorg.com
inh-jnambood-dt.india.mentorg.com | FAILED! => {
"failed": true,
"msg": "ERROR! kerberos: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Server not found in Kerberos database', -1765328377)), plaintext: 401 Unauthorized."
jnambood is my user id MGC.MENTORG.COM is the domain
Clearly there is some step I missed. What should I do to fix this error?
That usually means that the Linux host where you're running kinit is not joined to the domain (ie, it doesn't have a properly configured computer account in the domain). The existing docs unhelpfully omit that requirement...
I've also seen this occur where the FQDN of the the host is not entered in both the command and the ansible hosts file.
Try something like:
inh-jnambood-dt.mcg.mentorg.com
HTH
I'm not using Ansible, but pywinrm directly. To get things working from a RHEL7 computer to a Windows 10 host in the domain, I changed # to / in the pywinrm code. I did this because I saw other software use HTTP/hostname and not HTTP#hostname when talking to Kerberos. Hope this is useful for somebody.
https://github.com/requests/requests-kerberos/pull/141/commits
We had this same error. For us, it was resolved by shortening the hostname to have less than 15 characters.