You can control what arguments Ansible uses to invoke the ssh binary with. See ssh_extra_args [1] for ways to set extra arguments. You can run Ansible with -vvv and it will show you the full ssh command being run on each connection.
[1] https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote: > Pierre- > That was the missing bit. This is definitely an issue in Ansible that > probably needs to be addressed. > > On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]> > wrote: > >> Hi, >> >> I haven't tested this myself, but this article >> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> >> mentions that you'd need to set ansible_become_pass var somewhere with a >> potential dummy value. Give it a try ! >> >> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : >> >>> So I have been doing some rsa-key based to factor authentication work >>> recently, but have hit a stumbling block with Ansible. Has anyone ever done >>> key based privilege escalation? Apparently just use the ssh connection >>> option ForwardAgent=true is not quite the same as "ssh -A" when doing >>> escalation. >>> >>> For those not familiar with rsa key privilege escalation via sudo this >>> is a good link: >>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >>> >>> Before I get advice to just use passwordless sudo, that is something I >>> am looking for a way to avoid as it generates a massive amount of paperwork >>> in the federal FISMA high and med spaces that require MFA and expected MFA >>> elevated privilege access. >>> >>> Manually I am very successful with the RSA key >>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >>> 1 device has a firmware upgrade available. >>> Run `fwupdmgr get-upgrades` for more information. >>> Activate the web console with: systemctl enable --now cockpit.socket >>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >>> [user@kube ~]$ sudo whoami >>> root >>> [user@kube ~]$ exit >>> logout >>> >>> However Ansible is not making the same connections: >>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >>> PLAY [all] >>> *********************************************************************************************************************************************************** >>> TASK [Gathering Facts] >>> ************************************************************************************************************************************************ >>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >>> PLAY RECAP >>> ************************************************************************************************************************************************************ >>> 10.0.0.18 : ok=0 changed=0 unreachable=0 >>> failed=1 skipped=0 rescued=0 ignored=0 >>> >>> I have tried several options, and assume it is going to end up being >>> something in the SSH connection options to get this working beyond using >>> "ForwardAgent=Yes" >>> -- >>> Evan Hisey >>> [email protected] >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com.
