Linux – Is the SSH SFTP subsystem required on the managed nodes for Ansible to work

ansiblelinuxsftpssh

When I run:

ansible all -a "/bin/echo hello" -u myuser

I get back:

mydomain.myhost.com | FAILED => failed to open a SFTP connection (Channel closed.)

The SFTP subsystem is disabled on the managed node I'm trying to connect to.

Is SFTP required on the managed nodes? The Ansible docs don't mention SFTP specifically: http://docs.ansible.com/intro_installation.html#managed-node-requirements

I tried setting this value in ansible.cfg:

scp_if_ssh=True

…but it had no effect. (Thanks to Fred the Magic Wonder Dog for the suggestion.)

I also ensured that my non-interactive shell doesn't produce any output as suggested here.

Best Answer

Yes, ansible depends on being able to transfer files to the remote machine. It uses sftp to do this by default. You can override this to use scp using

scp_if_ssh
Occasionally users may be managing a remote system that doesn’t have SFTP enabled. If set to True, we can cause scp to be used to transfer remote files instead:

scp_if_ssh=False
There’s really no reason to change this unless problems are encountered, and then there’s also no real drawback to managing the switch. Most environments support SFTP by default and this doesn’t usually need to be changed.

The above information was taken from this page:

http://docs.ansible.com/intro_configuration.html#openssh-specific-settings

Related Solutions

Ssh – How to disable sftp subsystem for a specific user or group

If you are using the SFTP SubSystem where it spawns a separate process, you could create a sftp group and only allow execution of the sftp-server binary for that group. It will not be possible to do this with the newer internalized sftp daemon, which is specified with internal-sftp.

If they have shell access, they will still be able to scp. Do you have a particular goal in mind?

Edit

If you want to restrict your user to only executing or utilizing a specific program, I would probably recommend a shell wrapper instead. command= might work but it seems more likely to be fallible. I would do more testing to be sure.

A shell wrapper, such as scponly, will only allow the end-user to scp. I have modified the source of scponly before to only allow CVS execution, for example. This can also be done with a shell script but it is easier to make mistakes if you do not fully understand the scope of what you are trying to do.

Ssh – How to disable sftp for some users, but keep ssh enabled

In general doing this is bad security practice for reasons that others have listed. However, the point of your assignment, I think, is to teach you that you can have conditional config sections based on various criteria.

The way to do this is using a Match conditional block*.

Match User bob
Subsystem   sftp  /bin/false

See sshd_config(5) under the Match section for more information, and matching on Group.

*There's more than one way to do it.

Best Answer

Related Solutions

Ssh – How to disable sftp subsystem for a specific user or group

Ssh – How to disable sftp for some users, but keep ssh enabled

Related Topic