Bug#944667: firejail-profiles: ansible cannot run ssh with default profile

Wed, 13 Nov 2019 07:45:54 -0800 

On Wed, Nov 13, 2019 at 04:07:33PM +0100, Hans-Christoph Steiner wrote:
> fatal: [managedserver.com]: UNREACHABLE! => {"changed": false, "msg": "Failed 
> to connect to the host via ssh: Host key fingerprint is 
> SHA256:ruzofPZnPu/YqpeQ4PwtCYi+ygiEOkUAAkXUpgdmgDQ\n+---[ECDSA 
> 256]---+\n|@E+.             |\n|o.= o            |\n| o.+             |\n|... 
> . .          |\n|...o + .S.       |\n|o.. . +.o        |\n|+.     o.+ .     
> |\n|+... oo.+ Bo     |\n|oo.o+++.oB+=+    |\n+----[SHA256]-----+", 
> "unreachable": true}
> 
> PLAY RECAP 
> ***********************************************************************************************************
> managedserver.com                : ok=0    changed=0    unreachable=1    
> failed=0   
> 
> 
> 
> Looking at firejail --list, it is possible to see the full command line:
> 
> 1142:hans::/usr/bin/firejail /usr/bin/ssh -C -o ControlMaster=auto -o 
> ControlPersist=60s -o KbdInteractiveAuthentication=no -o 
> PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o 
> PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o 
> ControlPath=/home/hans/.ansible/cp/95eb452bcd managedserver.com /bin/sh -c 
> 'echo ~root && sleep 0' 
> 
> I tried adding this to /etc/firejail/ssh.local, but it didn't change anything:
> 
> noblacklist ${HOME}/.ansible/cp

That won't have any effect, as I couldn't find a corresponding blacklist
line in /etc/firejail/ (except you added it in one of your local profiles).

> A UNIX socket is opened up in taht directory.  Perhaps there is some 
> restriction on UNIX domain sockets that I'm missing?

Unix sockets should be allowed for ssh ("protocol unix").

Running the above command works when I try it with a server where I can login.
Your error message looks interesting:
> "msg": "Failed to connect to the host via ssh: Host key fingerprint is 
> SHA256:ruzofPZnP...

It sounds a bit like the confirmation prompt that comes when connecting
to a server the first time. Did you connect to the server already before?
Or do you have a ssh configuration that always prints the remote
fingerprint and ansible does not expect that output?
It looks like it can actually reach the server (or it would not print
the fingerprint).

Regards,
  Reiner

Attachment: signature.asc
Description: PGP signature

Reply via email to