Using ssh_extra_args does not solve the issue. There is already 2 other
methods of ensuring the ssh side of the house work. The core issue turns
out to be something of a known bug in ansible
, ansible wants a password if you are not using passwordless sudo. The
article linked by Pierre discovered ot.

This was easy to confirm by simple adding the "ansible_become_pass" with a
garbage setting and it works, remove variable and it fails. Not sure if the
ansible team is planning to address this or not.

On Sun, Aug 20, 2023, 5:35 AM [email protected] <[email protected]> wrote:

> You can control what arguments Ansible uses to invoke the ssh binary with.
> See ssh_extra_args [1] for ways to set extra arguments. You can run Ansible
> with -vvv and it will show you the full ssh command being run on each
> connection.
>
> [1]
> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html
>
> On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote:
>
>> Pierre-
>>  That was the missing bit. This is definitely an issue in Ansible that
>> probably needs to be addressed.
>>
>> On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]>
>> wrote:
>>
>>> Hi,
>>>
>>> I haven't tested this myself, but this article
>>> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/>
>>> mentions that you'd need to set ansible_become_pass var somewhere with
>>> a potential dummy value. Give it a try !
>>>
>>> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit :
>>>
>>>> So I have been doing some rsa-key based to factor authentication work
>>>> recently, but have hit a stumbling block with Ansible. Has anyone ever done
>>>> key based privilege escalation? Apparently just use the ssh connection
>>>> option ForwardAgent=true is not quite the same as "ssh -A" when doing
>>>> escalation.
>>>>
>>>> For those not familiar with rsa key privilege escalation via sudo this
>>>> is a good link:
>>>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740
>>>>
>>>> Before I get advice to just use passwordless sudo, that is something I
>>>> am looking for a way to avoid as it generates a massive amount of paperwork
>>>> in the federal FISMA high and med spaces that require MFA and expected MFA
>>>> elevated privilege access.
>>>>
>>>> Manually I am very successful with the RSA key
>>>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18
>>>> 1 device has a firmware upgrade available.
>>>> Run `fwupdmgr get-upgrades` for more information.
>>>> Activate the web console with: systemctl enable --now cockpit.socket
>>>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10
>>>> [user@kube ~]$ sudo whoami
>>>> root
>>>> [user@kube ~]$ exit
>>>> logout
>>>>
>>>> However Ansible is not making the same connections:
>>>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml
>>>> PLAY [all]
>>>> ***********************************************************************************************************************************************************
>>>> TASK [Gathering Facts]
>>>> ************************************************************************************************************************************************
>>>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"}
>>>> PLAY RECAP
>>>> ************************************************************************************************************************************************************
>>>> 10.0.0.18                  : ok=0    changed=0    unreachable=0
>>>>  failed=1    skipped=0    rescued=0    ignored=0
>>>>
>>>> I have tried several options, and assume it is going to end up being
>>>> something in the SSH connection options to get this working beyond using
>>>> "ForwardAgent=Yes"
>>>> --
>>>> Evan Hisey
>>>> [email protected]
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com
>>> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com
> <https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/CAEcFzYzGG70-bYF8Zh%3DJWR_AWMZLg-iaOTYRcYaFXZ7RQCOQtQ%40mail.gmail.com.

Reply via email to