So I have been doing some rsa-key based to factor authentication work recently, but have hit a stumbling block with Ansible. Has anyone ever done key based privilege escalation? Apparently just use the ssh connection option ForwardAgent=true is not quite the same as "ssh -A" when doing escalation.
For those not familiar with rsa key privilege escalation via sudo this is a good link: https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 Before I get advice to just use passwordless sudo, that is something I am looking for a way to avoid as it generates a massive amount of paperwork in the federal FISMA high and med spaces that require MFA and expected MFA elevated privilege access. Manually I am very successful with the RSA key [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 1 device has a firmware upgrade available. Run `fwupdmgr get-upgrades` for more information. Activate the web console with: systemctl enable --now cockpit.socket Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 [user@kube ~]$ sudo whoami root [user@kube ~]$ exit logout However Ansible is not making the same connections: [user@localhost vagrant-kube]$ ansible-playbook mvp.yml PLAY [all] *********************************************************************************************************************************************************** TASK [Gathering Facts] ************************************************************************************************************************************************ fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} PLAY RECAP ************************************************************************************************************************************************************ 10.0.0.18 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 I have tried several options, and assume it is going to end up being something in the SSH connection options to get this working beyond using "ForwardAgent=Yes" -- Evan Hisey [email protected] -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEcFzYwXnBnJdxb3uu0ty6GuEGrS1%2B_6ep%2BCAsucr14OnNE8rg%40mail.gmail.com.
