Pierre- That was the missing bit. This is definitely an issue in Ansible that probably needs to be addressed.
On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]> wrote: > Hi, > > I haven't tested this myself, but this article > <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> > mentions that you'd need to set ansible_become_pass var somewhere with a > potential dummy value. Give it a try ! > > Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : > >> So I have been doing some rsa-key based to factor authentication work >> recently, but have hit a stumbling block with Ansible. Has anyone ever done >> key based privilege escalation? Apparently just use the ssh connection >> option ForwardAgent=true is not quite the same as "ssh -A" when doing >> escalation. >> >> For those not familiar with rsa key privilege escalation via sudo this is >> a good link: >> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >> >> Before I get advice to just use passwordless sudo, that is something I am >> looking for a way to avoid as it generates a massive amount of paperwork in >> the federal FISMA high and med spaces that require MFA and expected MFA >> elevated privilege access. >> >> Manually I am very successful with the RSA key >> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >> 1 device has a firmware upgrade available. >> Run `fwupdmgr get-upgrades` for more information. >> Activate the web console with: systemctl enable --now cockpit.socket >> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >> [user@kube ~]$ sudo whoami >> root >> [user@kube ~]$ exit >> logout >> >> However Ansible is not making the same connections: >> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >> PLAY [all] >> *********************************************************************************************************************************************************** >> TASK [Gathering Facts] >> ************************************************************************************************************************************************ >> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >> PLAY RECAP >> ************************************************************************************************************************************************************ >> 10.0.0.18 : ok=0 changed=0 unreachable=0 >> failed=1 skipped=0 rescued=0 ignored=0 >> >> I have tried several options, and assume it is going to end up being >> something in the SSH connection options to get this working beyond using >> "ForwardAgent=Yes" >> -- >> Evan Hisey >> [email protected] >> > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEcFzYyA-YtJL2nRKiy7yieNwg79hKNMbhNA1cACbisJiT9ykA%40mail.gmail.com.
