Ansible with Github: Permission denied (Publickey)

2019-05-03 11:19发布

问题:

I'm trying to understand the GitHub ssh configuration with Ansible (I'm working on the Ansible: Up & Running book). I'm running into two issues.

Permission denied (publickey) - When I first ran the ansible-playbook mezzanine.yml playbook, I got a permission denied:

failed: [web] => {"cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "rc": 128}
stderr: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

msg: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

FATAL: all hosts have already failed -- aborting

Ok, fair enough, I see several people have had this problem. So I jumped to appendix A on running Git with SSH and it said to run the ssh-agent and add the id_rsa public key:

eval `ssh-agent -s`
ssh-add ~/.ssh/id_rsa

Output: Identity AddedI ran ssh-agent -l to check and got the long string: 2048 e3:fb:... But I got the same output. So I checked the Github docs on ssh key generations and troubleshooting which recommended updating the ssh config file on my host machine:

Host github.com
    User git
    Port 22
    Hostname github.com
    IdentityFile ~/.ssh/id_rsa
    TCPKeepAlive yes
    IdentitiesOnly yes

But this still provides the same error. So at this point, I start thinking it's my rsa file, which leads me to my second problem.

Key Generation Issues - I tried to generate an additional cert to use, because the Github test threw another "Permission denied (publickey)" error.

Warning: Permanently added the RSA host key for IP address '192.30.252.131' to the list of known hosts.
Permission denied (publickey).

I followed the Github instructions from scratch and generated a new key with a different name.

ssh-keygen -t rsa -b 4096 -C "me@example.com"

I didn't enter a passphrase and saved it to the .ssh folder with the name git_rsa.pub. I ran the same test and got the following:

$ ssh -i ~/.ssh/git_rsa.pub -T git@github.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/Users/antonioalaniz1/.ssh/git_rsa.pub' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: ~/.ssh/github_rsa.pub
Permission denied (publickey).

I checked on the permissions and did a chmod 700 on the file and I still get Permission denied (publickey). I even attempted to enter the key into my Github account, but first got a message that the key file needs to start with ssh-rsa. So I started researching and hacking. Started with just entering the long string in the file (it started with --BEGIN PRIVATE KEY--, but I omitted that part after it failed); however, Github's not accepting it, saying it's invalid.

This is my Ansible command in the YAML file:

- name: check out the repository on the host
  git: repo={{ repo_url }} dest={{ proj_path }} accept_hostkey=yes

  vars:
    repo_url: git@github.com:lorin/mezzanine-example.git

This is my ansible.cfg file with ForwardAgent configured:

[defaults]
hostfile = hosts
remote_user = vagrant
private_key_file = .vagrant/machines/default/virtualbox/private_key
host_key_checking = False

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes

The box is an Ubuntu Trusty64 using Mac OS. If anyone could clue me into the file permissions and/or Github key generation, I would appreciate it.

回答1:

I suspect the key permissions issue is because you are passing the public key instead of the private key as the arugment to "ssh -i". Try this instead:

ssh -i ~/.ssh/git_rsa -T git@github.com

(Note that it's git_rsa and not git_rsa.pub).

If that works, then make sure it's in your ssh-agent. To add:

ssh-add ~/.ssh/git_rsa

To verify:

ssh-add -l

Then check that Ansible respects agent forwarding by doing:

ansible web -a "ssh-add -l"

Finally, check that you can reach GitHub via ssh by doing:

ansible web -a "ssh -T git@github.com"

You should see something like:

web | FAILED | rc=1 >>
Hi lorin! You've successfully authenticated, but GitHub does not provide shell access.


回答2:

I had the same problem, it took me some time, but I have found the solution.

The problem is the URL is incorrect.

Just try to change it to:

repo_url: git://github.com/lorin/mezzanine-example.git


回答3:

I ran into this issue and discovered it by turning verbosity up on the ansible commands (very very useful for debugging).

Unfortunately, ssh often throws error messages that don't quite lead you in the right direction (aka permission denied is very generic...though to be fair that is often thrown when there is a file permission issue so perhaps not quite so generic). Anyways, running the ansible test command with verbose on helps recreate the issue as well as verify when it is solved.

ansible -vvv all -a "ssh -T git@github.com"

Again, the setup I use (and a typical one) is to load your ssh key into the agent on the control machine and enable forwarding.

steps are found here Github's helpful ssh docs

it also stuck out to me that when I ssh'd to the box itself via the vagrant command and ran the test, it succeeded. So I had narrowed it down to how ansible was forwarding the connection. For me what eventually worked was setting

[paramiko_connection]
record_host_keys = False

In addition to the other config that controls host keys verification host_key_checking = False

which essentially adds

-o StrictHostKeyChecking=no

to the ssh args for you, and

-o UserKnownHostsFile=/dev/null

was added to the ssh args as well

found here: Ansible issue 9442

Again, this was on vagrant VMs, more careful consideration around host key verification should be taken on actual servers.

Hope this helps