What I'm trying to say is that sudo is still writing the password is required message which then causes Ansible to say the password is required. If sudo doesn't write this line then Ansible won't say it needs a password ansible_become_pass.
Going backwards from the error we can see "Missing sudo password" is raised in the ssh connection plugin https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/connection/ssh.py#L1146-L1150 when the 'become_nopasswd_error' flag has been set. The 'become_nopasswd_error' flag is set when the output line being processed is validated as missing through the become plugin's check_missing_password function https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/connection/ssh.py#L908-L910 *.* The become plugins check_missing_password function checks whether the processed line contains one of the known "missing password" responses https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/become/__init__.py#L104-L108. These known "missing password" lines are "Sorry, a password is required to run sudo" or "sudo: a pasword is required" https://github.com/ansible/ansible/blob/390e508d27db7a51eece36bb6d9698b63a5b638a/lib/ansible/plugins/become/sudo.py#L90. So ultimately the reason why you are seeing this error is because sudo is writing one of those 2 responses to the stdout/stderr of the ssh process and the become plugin is flagging that as the password needs to be set. What should be investigated is why the sudo invocations done without the password is causing sudo to display this error vs why it accepts a dummy password. Also knowing why it's working for an interactive command outside of Ansible vs the non-interactive command being run by Ansible when there is no password. If you run with '-vvv' you can see the exact commands Ansible is running for each task which will show both the ssh arguments as well as the sudo arguments being run on the ssh target. When you run with a set sudo password the '-p "[sudo via ansible, key=random] password:"' argument is going to be added to the sudo prompt but I cannot see any other changes. Playing around with these commands can give you a way to try and replicate how Ansible runs things outside of Ansible itself giving you more things to try yourself. On Monday, August 21, 2023 at 9:23:27 AM UTC+10 Evan Hisey wrote: > Not true. If you dint give it a password and use rsa sudo it still.asks > for password. Follow the article Pierre linked and you can reproduce the > issue, i am using ansible 2.14. The only change between working and not > working is setting a dummy password. I started with using the ssh args > which did not work. > > On Sun, Aug 20, 2023, 4:08 PM [email protected] <[email protected]> wrote: > >> > ansible wants a password if you are not using passwordless sudo. The >> article linked by Pierre discovered ot. >> >> Ansible only wants a password if it gets prompted by sudo for one, if >> there is no prompt there is no mandatory password. You can definitely use >> become sudo without a password normally and not have a password set. >> >> On Monday, August 21, 2023 at 12:19:26 AM UTC+10 Evan Hisey wrote: >> >>> Using ssh_extra_args does not solve the issue. There is already 2 other >>> methods of ensuring the ssh side of the house work. The core issue turns >>> out to be something of a known bug in ansible >>> , ansible wants a password if you are not using passwordless sudo. The >>> article linked by Pierre discovered ot. >>> >>> This was easy to confirm by simple adding the "ansible_become_pass" with >>> a garbage setting and it works, remove variable and it fails. Not sure if >>> the ansible team is planning to address this or not. >>> >>> On Sun, Aug 20, 2023, 5:35 AM [email protected] <[email protected]> >>> wrote: >>> >>>> You can control what arguments Ansible uses to invoke the ssh binary >>>> with. See ssh_extra_args [1] for ways to set extra arguments. You can run >>>> Ansible with -vvv and it will show you the full ssh command being run on >>>> each connection. >>>> >>>> [1] >>>> https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html >>>> >>>> On Sunday, August 20, 2023 at 11:38:46 AM UTC+10 Evan Hisey wrote: >>>> >>>>> Pierre- >>>>> That was the missing bit. This is definitely an issue in Ansible that >>>>> probably needs to be addressed. >>>>> >>>>> On Sat, Aug 19, 2023 at 12:32 PM Pierre TOURON <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I haven't tested this myself, but this article >>>>>> <https://jpmens.net/2021/11/21/pam-ssh-agent-authentication-with-ansible/> >>>>>> >>>>>> mentions that you'd need to set ansible_become_pass var somewhere >>>>>> with a potential dummy value. Give it a try ! >>>>>> >>>>>> Le mercredi 16 août 2023 à 22:32:21 UTC+2, Evan Hisey a écrit : >>>>>> >>>>>>> So I have been doing some rsa-key based to factor authentication >>>>>>> work recently, but have hit a stumbling block with Ansible. Has anyone >>>>>>> ever >>>>>>> done key based privilege escalation? Apparently just use the ssh >>>>>>> connection >>>>>>> option ForwardAgent=true is not quite the same as "ssh -A" when doing >>>>>>> escalation. >>>>>>> >>>>>>> For those not familiar with rsa key privilege escalation via sudo >>>>>>> this is a good link: >>>>>>> https://blog.byteschneiderei.com/setting-up-pam-ssh-agent-auth-for-sudo-login-7135330eb740 >>>>>>> >>>>>>> Before I get advice to just use passwordless sudo, that is something >>>>>>> I am looking for a way to avoid as it generates a massive amount of >>>>>>> paperwork in the federal FISMA high and med spaces that require MFA and >>>>>>> expected MFA elevated privilege access. >>>>>>> >>>>>>> Manually I am very successful with the RSA key >>>>>>> [user@localhost vagrant-kube]$ ssh -A 10.0.0.18 >>>>>>> 1 device has a firmware upgrade available. >>>>>>> Run `fwupdmgr get-upgrades` for more information. >>>>>>> Activate the web console with: systemctl enable --now cockpit.socket >>>>>>> Last login: Wed Aug 16 14:07:25 2023 from 10.0.0.10 >>>>>>> [user@kube ~]$ sudo whoami >>>>>>> root >>>>>>> [user@kube ~]$ exit >>>>>>> logout >>>>>>> >>>>>>> However Ansible is not making the same connections: >>>>>>> [user@localhost vagrant-kube]$ ansible-playbook mvp.yml >>>>>>> PLAY [all] >>>>>>> *********************************************************************************************************************************************************** >>>>>>> TASK [Gathering Facts] >>>>>>> ************************************************************************************************************************************************ >>>>>>> fatal: [10.0.0.18]: FAILED! => {"msg": "Missing sudo password"} >>>>>>> PLAY RECAP >>>>>>> ************************************************************************************************************************************************************ >>>>>>> 10.0.0.18 : ok=0 changed=0 unreachable=0 >>>>>>> failed=1 skipped=0 rescued=0 ignored=0 >>>>>>> >>>>>>> I have tried several options, and assume it is going to end up being >>>>>>> something in the SSH connection options to get this working beyond >>>>>>> using >>>>>>> "ForwardAgent=Yes" >>>>>>> -- >>>>>>> Evan Hisey >>>>>>> [email protected] >>>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "Ansible Project" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com >>>>>> >>>>>> <https://groups.google.com/d/msgid/ansible-project/f33933bd-80d4-4594-a226-5556afdac7f8n%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ansible Project" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> >>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/ansible-project/399a21d3-3f82-4b8e-9ee6-ac95338fde2an%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/2a218fb1-15be-4fcb-8a82-bd65eeecd2f5n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/ansible-project/2a218fb1-15be-4fcb-8a82-bd65eeecd2f5n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/81d9ba39-373b-4e22-94c8-9422c433ba03n%40googlegroups.com.
