This question already has an answer here:
-
How can a user with SSH keys authentication have sudo powers in Ansible? [duplicate]
1 answer
quick question
I have setup an Ubuntu server with a user named test. I copy the authorized_keys to it, I can ssh no problem.
If I do $ ansible -m ping ubu1, no problem I get a response
<i><p>ubu1 | SUCCESS => {
<br>"changed": false,
<br>"ping": "pong"
<br>}</i>
What I dont get is this, If I do
$ ansible-playbook -vvvv Playbooks/htopInstall.yml
fatal: [ubu1]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_name": "setup"}, "module_stderr": "OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips 1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 6109\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to 192.168.1.112 closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false}
If I do $ ansible-playbook --ask-sudo-pass Playbooks/htopInstall.yml, then it ask my user password and the play is a success.
If I rename the authorized_keys it tells me I "Failed to connect to the host via ssh." which is ok.
What I dont understand is why is it asking for a sudo password. I definetly missed something along the way.
my ansible.cfg file looks like this
[defaults]
nocows = 1
inventory = ./Playbooks/hosts
remote_user = test
private_key_file = /home/test/.ssh/id_ubu
host_key_checking = false
my hosts file looks like this
[servers]
ubu1 ansible_ssh_host=192.168.1.112 ansible_ssh_user=test
What I dont understand is why is it asking for a sudo password.
We can't say for certain without seeing your playbook, but it's almost certainly because a) your playbook asks Ansible to run a particular command with sudo
(via the sudo
or become
directives) and b) the test
user does not have password-less sudo enabled.
It sounds like you are aware of (a) but are confused about (b); specifically, what I'm picking up is that you don't understand the difference between ssh authentication and sudo authentication. Again, without more information I can't confirm if this is the case, but I'll take a stab at explaining it in case I guessed correctly.
When you connect to a machine via ssh, there are two primary ways in which sshd authenticates you and allows you to log in as a particular user. The first is to ask for the account's password, which is hands off to the system, and allows a login if it was correct. The second is through public-key cryptography, in which you prove that you have access to a private key that corresponds to a public key fingerprint in ~/.ssh/authorized_keys
. Passing sshd's authentication checks gives you a shell on the machine.
When you invoke a command with sudo
, you're asking sudo
to elevate your privileges beyond what the account normally gets. This is an entirely different system, with rules defined in /etc/sudoers
(which you should edit using sudo visudo
) that control which users are allowed to use sudo, what commands they should be able to run, whether they need to re-enter their password or not when using the command, and a variety of other configuration options.
When you run the playbook normally, Ansible is presented with a sudo prompt and doesn't know how to continue - it doesn't know the account password. That's why --ask-sudo-pass
exists: you're giving the password to Ansible so that it can pass it on to sudo when prompted. If you don't want to have to type this every time and you've decided it's within your security parameters to allow anyone logged in as the test
user to perform any action as root, then you can consult man sudoers
on how to set passwordless sudo for that account.
I solved this exact error sudo: a password is required\n
which I got when running my playbook with become: true
but somewhere in a task delegating to localhost, something like this:
uri:
url: "{{ some_url }}"
return_content: yes
status_code: 200
delegate_to: 127.0.0.1
If I understood correctly, the become: true
causes Ansible to log into the remote host as my user and then use sudo
in order to execute all commands on the remote host as root
. Now when delegating to 127.0.0.1
, sudo
is also executed and as it happens that on my localhost a password is expected when using sudo
.
For me the solution was simply to remove the delegate_to
, which was not actually needed in that particular use case.