Hi, I haven't tested this myself, but this article <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> mentions that you'd need to set ansible_become_pass var somewhere with a potential dummy value. Give it a try !
Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : > So I have been doing some rsa-key based to factor authentication work > recently, but have hit a stumbling block with Ansible. Has anyone ever done > key based privilege escalation? Apparently just use the ssh connection > option ForwardAgent=true is not quite the same as "ssh -A" when doing > escalation. > > For those not familiar with rsa key privilege escalation via sudo this is > a good link: > https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 > > Before I get advice to just use passwordless sudo, that is something I am > looking for a way to avoid as it generates a massive amount of paperwork in > the federal FISMA high and med spaces that require MFA and expected MFA > elevated privilege access. > > Manually I am very successful with the RSA key > [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 > 1 device has a firmware upgrade available. > Run `fwupdmgr get-upgrades` for more information. > Activate the web console with: systemctl enable --now cockpit.socket > Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 > [user@kube ~]$ sudo whoami > root > [user@kube ~]$ exit > logout > > However Ansible is not making the same connections: > [user@localhost vagrant-kube]$ ansible-playbook mvp.yml > PLAY [all] > *********************************************************************************************************************************************************** > TASK [Gathering Facts] > ************************************************************************************************************************************************ > fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} > PLAY RECAP > ************************************************************************************************************************************************************ > 10.0.0.18 : ok=0 changed=0 unreachable=0 > failed=1 skipped=0 rescued=0 ignored=0 > > I have tried several options, and assume it is going to end up being > something in the SSH connection options to get this working beyond using > "ForwardAgent=Yes" > -- > Evan Hisey > [email protected] > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com.
