> ansible wants a password if you are not using passwordless sudo. The article linked by Pierre discovered ot.
Ansible only wants a password if it gets prompted by sudo for one, if there is no prompt there is no mandatory password. You can definitely use become sudo without a password normally and not have a password set. On Monday, August 21, 2023 at 12:19:26 AM UTC+10 Evan Hisey wrote: > Using ssh_extra_args does not solve the issue. There is already 2 other > methods of ensuring the ssh side of the house work. The core issue turns > out to be something of a known bug in ansible > , ansible wants a password if you are not using passwordless sudo. The > article linked by Pierre discovered ot. > > This was easy to confirm by simple adding the "ansible_become_pass" with a > garbage setting and it works, remove variable and it fails. Not sure if the > ansible team is planning to address this or not. > > On Sun, Aug 20, 2023, 5:35 AM [email protected] <[email protected]> wrote: > >> You can control what arguments Ansible uses to invoke the ssh binary >> with. See ssh_extra_args [1] for ways to set extra arguments. You can run >> Ansible with -vvv and it will show you the full ssh command being run on >> each connection. >> >> [1] >> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html >> >> On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote: >> >>> Pierre- >>> That was the missing bit. This is definitely an issue in Ansible that >>> probably needs to be addressed. >>> >>> On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]> >>> wrote: >>> >>>> Hi, >>>> >>>> I haven't tested this myself, but this article >>>> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> >>>> mentions that you'd need to set ansible_become_pass var somewhere with >>>> a potential dummy value. Give it a try ! >>>> >>>> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : >>>> >>>>> So I have been doing some rsa-key based to factor authentication work >>>>> recently, but have hit a stumbling block with Ansible. Has anyone ever >>>>> done >>>>> key based privilege escalation? Apparently just use the ssh connection >>>>> option ForwardAgent=true is not quite the same as "ssh -A" when doing >>>>> escalation. >>>>> >>>>> For those not familiar with rsa key privilege escalation via sudo this >>>>> is a good link: >>>>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >>>>> >>>>> Before I get advice to just use passwordless sudo, that is something I >>>>> am looking for a way to avoid as it generates a massive amount of >>>>> paperwork >>>>> in the federal FISMA high and med spaces that require MFA and expected >>>>> MFA >>>>> elevated privilege access. >>>>> >>>>> Manually I am very successful with the RSA key >>>>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >>>>> 1 device has a firmware upgrade available. >>>>> Run `fwupdmgr get-upgrades` for more information. >>>>> Activate the web console with: systemctl enable --now cockpit.socket >>>>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >>>>> [user@kube ~]$ sudo whoami >>>>> root >>>>> [user@kube ~]$ exit >>>>> logout >>>>> >>>>> However Ansible is not making the same connections: >>>>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >>>>> PLAY [all] >>>>> *********************************************************************************************************************************************************** >>>>> TASK [Gathering Facts] >>>>> ************************************************************************************************************************************************ >>>>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >>>>> PLAY RECAP >>>>> ************************************************************************************************************************************************************ >>>>> 10.0.0.18 : ok=0 changed=0 unreachable=0 >>>>> failed=1 skipped=0 rescued=0 ignored=0 >>>>> >>>>> I have tried several options, and assume it is going to end up being >>>>> something in the SSH connection options to get this working beyond using >>>>> "ForwardAgent=Yes" >>>>> -- >>>>> Evan Hisey >>>>> [email protected] >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2a218fb1-15be-4fcb-8a82-bd65eeecd2f5n%40googlegroups.com.
