Not true. If you dint give it a password and use rsa sudo it still.asks for password. Follow the article Pierre linked and you can reproduce the issue, i am using ansible 2.14. The only change between working and not working is setting a dummy password. I started with using the ssh args which did not work.
On Sun, Aug 20, 2023, 4:08 PM [email protected] <[email protected]> wrote: > > ansible wants a password if you are not using passwordless sudo. The > article linked by Pierre discovered ot. > > Ansible only wants a password if it gets prompted by sudo for one, if > there is no prompt there is no mandatory password. You can definitely use > become sudo without a password normally and not have a password set. > > On Monday, August 21, 2023 at 12:19:26 AM UTC+10 Evan Hisey wrote: > >> Using ssh_extra_args does not solve the issue. There is already 2 other >> methods of ensuring the ssh side of the house work. The core issue turns >> out to be something of a known bug in ansible >> , ansible wants a password if you are not using passwordless sudo. The >> article linked by Pierre discovered ot. >> >> This was easy to confirm by simple adding the "ansible_become_pass" with >> a garbage setting and it works, remove variable and it fails. Not sure if >> the ansible team is planning to address this or not. >> >> On Sun, Aug 20, 2023, 5:35 AM [email protected] <[email protected]> >> wrote: >> >>> You can control what arguments Ansible uses to invoke the ssh binary >>> with. See ssh_extra_args [1] for ways to set extra arguments. You can run >>> Ansible with -vvv and it will show you the full ssh command being run on >>> each connection. >>> >>> [1] >>> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html >>> >>> On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote: >>> >>>> Pierre- >>>> That was the missing bit. This is definitely an issue in Ansible that >>>> probably needs to be addressed. >>>> >>>> On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I haven't tested this myself, but this article >>>>> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> >>>>> mentions that you'd need to set ansible_become_pass var somewhere >>>>> with a potential dummy value. Give it a try ! >>>>> >>>>> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : >>>>> >>>>>> So I have been doing some rsa-key based to factor authentication work >>>>>> recently, but have hit a stumbling block with Ansible. Has anyone ever >>>>>> done >>>>>> key based privilege escalation? Apparently just use the ssh connection >>>>>> option ForwardAgent=true is not quite the same as "ssh -A" when doing >>>>>> escalation. >>>>>> >>>>>> For those not familiar with rsa key privilege escalation via sudo >>>>>> this is a good link: >>>>>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >>>>>> >>>>>> Before I get advice to just use passwordless sudo, that is something >>>>>> I am looking for a way to avoid as it generates a massive amount of >>>>>> paperwork in the federal FISMA high and med spaces that require MFA and >>>>>> expected MFA elevated privilege access. >>>>>> >>>>>> Manually I am very successful with the RSA key >>>>>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >>>>>> 1 device has a firmware upgrade available. >>>>>> Run `fwupdmgr get-upgrades` for more information. >>>>>> Activate the web console with: systemctl enable --now cockpit.socket >>>>>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >>>>>> [user@kube ~]$ sudo whoami >>>>>> root >>>>>> [user@kube ~]$ exit >>>>>> logout >>>>>> >>>>>> However Ansible is not making the same connections: >>>>>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >>>>>> PLAY [all] >>>>>> *********************************************************************************************************************************************************** >>>>>> TASK [Gathering Facts] >>>>>> ************************************************************************************************************************************************ >>>>>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >>>>>> PLAY RECAP >>>>>> ************************************************************************************************************************************************************ >>>>>> 10.0.0.18 : ok=0 changed=0 unreachable=0 >>>>>> failed=1 skipped=0 rescued=0 ignored=0 >>>>>> >>>>>> I have tried several options, and assume it is going to end up being >>>>>> something in the SSH connection options to get this working beyond using >>>>>> "ForwardAgent=Yes" >>>>>> -- >>>>>> Evan Hisey >>>>>> [email protected] >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Ansible Project" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Ansible Project" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com >>> <https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/2a218fb1-15be-4fcb-8a82-bd65eeecd2f5n%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/2a218fb1-15be-4fcb-8a82-bd65eeecd2f5n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEcFzYz4k-fZs8MRvCSJX_XFbqW8ieb_rn_j92M64TUu8KC%3Dwg%40mail.gmail.com.
