Bug#944667: firejail-profiles: ansible cannot run ssh with default profile

Wed, 13 Nov 2019 07:10:14 -0800 

Package: firejail-profiles
Version: 0.9.60-2
Severity: normal

Dear Maintainer,

ansible is a configuration management tool for running lots of servers.  The 
standard way it works is connecting to all the servers via ssh.  If ssh is 
firejailed, then it fails to connect:

$ ansible-playbook -v -i managedserver.com, provision.yml
Using /home/hans/code/fdroid/fdroid-bootstrap-buildserver/ansible.cfg as config 
file

PLAY [all] 
***********************************************************************************************************

TASK [Gathering Facts] 
***********************************************************************************************


fatal: [managedserver.com]: UNREACHABLE! => {"changed": false, "msg": "Failed 
to connect to the host via ssh: Host key fingerprint is 
SHA256:ruzofPZnPu/YqpeQ4PwtCYi+ygiEOkUAAkXUpgdmgDQ\n+---[ECDSA 256]---+\n|@E+.  
           |\n|o.= o            |\n| o.+             |\n|... . .          
|\n|...o + .S.       |\n|o.. . +.o        |\n|+.     o.+ .     |\n|+... oo.+ Bo 
    |\n|oo.o+++.oB+=+    |\n+----[SHA256]-----+", "unreachable": true}

PLAY RECAP 
***********************************************************************************************************
managedserver.com                : ok=0    changed=0    unreachable=1    
failed=0   



Looking at firejail --list, it is possible to see the full command line:

1142:hans::/usr/bin/firejail /usr/bin/ssh -C -o ControlMaster=auto -o 
ControlPersist=60s -o KbdInteractiveAuthentication=no -o 
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o 
PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o 
ControlPath=/home/hans/.ansible/cp/95eb452bcd managedserver.com /bin/sh -c 
'echo ~root && sleep 0' 

I tried adding this to /etc/firejail/ssh.local, but it didn't change anything:

noblacklist ${HOME}/.ansible/cp


A UNIX socket is opened up in taht directory.  Perhaps there is some 
restriction on UNIX domain sockets that I'm missing?



-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 
'proposed-updates'), (100, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail-profiles depends on:
ii  firejail  0.9.60-2

firejail-profiles recommends no packages.

firejail-profiles suggests no packages.

-- no debconf information

Reply via email to