Using ssh_extra_args does not solve the issue. There is already 2 other methods of ensuring the ssh side of the house work. The core issue turns out to be something of a known bug in ansible , ansible wants a password if you are not using passwordless sudo. The article linked by Pierre discovered ot.
This was easy to confirm by simple adding the "ansible_become_pass" with a garbage setting and it works, remove variable and it fails. Not sure if the ansible team is planning to address this or not. On Sun, Aug 20, 2023, 5:35 AM [email protected] <[email protected]> wrote: > You can control what arguments Ansible uses to invoke the ssh binary with. > See ssh_extra_args [1] for ways to set extra arguments. You can run Ansible > with -vvv and it will show you the full ssh command being run on each > connection. > > [1] > https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html > > On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote: > >> Pierre- >> That was the missing bit. This is definitely an issue in Ansible that >> probably needs to be addressed. >> >> On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]> >> wrote: >> >>> Hi, >>> >>> I haven't tested this myself, but this article >>> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> >>> mentions that you'd need to set ansible_become_pass var somewhere with >>> a potential dummy value. Give it a try ! >>> >>> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : >>> >>>> So I have been doing some rsa-key based to factor authentication work >>>> recently, but have hit a stumbling block with Ansible. Has anyone ever done >>>> key based privilege escalation? Apparently just use the ssh connection >>>> option ForwardAgent=true is not quite the same as "ssh -A" when doing >>>> escalation. >>>> >>>> For those not familiar with rsa key privilege escalation via sudo this >>>> is a good link: >>>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >>>> >>>> Before I get advice to just use passwordless sudo, that is something I >>>> am looking for a way to avoid as it generates a massive amount of paperwork >>>> in the federal FISMA high and med spaces that require MFA and expected MFA >>>> elevated privilege access. >>>> >>>> Manually I am very successful with the RSA key >>>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >>>> 1 device has a firmware upgrade available. >>>> Run `fwupdmgr get-upgrades` for more information. >>>> Activate the web console with: systemctl enable --now cockpit.socket >>>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >>>> [user@kube ~]$ sudo whoami >>>> root >>>> [user@kube ~]$ exit >>>> logout >>>> >>>> However Ansible is not making the same connections: >>>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >>>> PLAY [all] >>>> *********************************************************************************************************************************************************** >>>> TASK [Gathering Facts] >>>> ************************************************************************************************************************************************ >>>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >>>> PLAY RECAP >>>> ************************************************************************************************************************************************************ >>>> 10.0.0.18 : ok=0 changed=0 unreachable=0 >>>> failed=1 skipped=0 rescued=0 ignored=0 >>>> >>>> I have tried several options, and assume it is going to end up being >>>> something in the SSH connection options to get this working beyond using >>>> "ForwardAgent=Yes" >>>> -- >>>> Evan Hisey >>>> [email protected] >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEcFzYzGG70-bYF8Zh%3DJWR_AWMZLg-iaOTYRcYaFXZ7RQCOQtQ%40mail.gmail.com.
