The Ansible engine does not really handle this directly, this is mostly up to the sudo become plugin.
While the connection plugins are the ones listening to output, they have hooks for the become plugins to match, in this case the output from sudo (prompting for a password) is matched by the sudo become plugin. Which when prompted, if it has a password, it passes it as input, if not .. then raises an error that requires a password. The default options we pass to sudo are -H -S -n (only the last 2 matter for this issue), while -S handles where sudo sends output/expects input (stdin) the -n tells it not to prompt .. EXCEPT if sudo itself determines the command needs a password. How does sudo determine this? by using `NOPASSWORD` on the command, it then prompts the user and sends the info to PAM for it to authenticate .. but PAM in this case does not require the password, as it finds the ssh key to be sufficient (but sudo has no idea about this) and that is how we get to the current behavior. So if you have this setup you have a few workarounds: - Configure sudo to not attemp using passwords (passwd_tries = 0), this might be an issue if this user tries to do any manual escalation w/o sshing in. - The already mentioned junk become password - Modify/create a custom sudo become plugin to take a new option (ignore_password_prompt=false|true) to avoid raising the error. ---------- Brian Coca -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CACVha7fZ%3DRBmx%2B1_PuBkoL%2Bd_-K%3DiO%2BXT4tRof7W0c8y1W1Vrg%40mail.gmail.com.
