Ssh – Ansible – wrong passphrase – even if it has to be correct

ansiblepassphrasesshssh-keys

i am running ansible modules/playbooks (for example ping) with this command by user, who have sudo rights:

sudo ansible -m ping hosts

"hosts" is group of 2 hosts. When i run this, i'm asked for local sudo password, which is fine. Then i'm asked for sudo on remote host (because i configured that in ansible.cfg), which is also fine. Then i have to enter passphrases for both hosts and this is where i have problem. I am asked literarly like this at one line:

Enter passphrase for key '/home/myuser/.ssh/id_rsa':Enter passphrase for key '/home/myuser/.ssh/id_rsa':

so i just enter my passphrase absolutly right (coppied from keypass) and enter. And i am asked again for passphrase, now only once:

Enter passphrase for key '/home/myuser/.ssh/id_rsa':

So i enter it again.. and i am asked again and so on until ssh dies and hosts are unreachable.
Weird thing is, that sometimes i can make it work just by pressing "enter" on first try, then put passphrase and second hosts suddenly working. When i run it one more time i am asked for passphrase just once (for host that failed before) i enter passphrase and now its working.. i am like, what the hell?

Is this bug in Ansible or am i doing something wrong there? If i just ssh to my hosts it works absolutly fine.
Tryied to run my ansible commands with multiple verbosity, didnt find anything wrong there. Any ideas?

Best Answer

First, you don't need sudo locally to run that command. So save yourself sudo'ing locally for no reason.

Next, you don't need a password to ping target. This will suffice:

$ ansible all -i /tmp/hosts2ping -m ping

...where hosts2ping contains your list of hosts.

If you're doing something on remote that needs you to login as non-root, then you'll need to specify -k (or add 'ask_pass = True' to ~/ansible.cfg):

$ ansible all -i /tmp/hosts2ping -a id -k
SSH password: <enter password>
10.1.2.3 | SUCCESS | rc=0 >> uid=nnnn<non-root-account>.....

...but should only prompt once for all hosts.

If you need to do a root task, use -Kb too...

$ ansible all -i /tmp/hosts2ping -a id -k -Kb
SSH password: <enter password>
SUDO password[defaults to SSH password]: <RETURN>
10.1.2.3 | SUCCESS | rc=0 >> uid=0(root).....

If your ssh key is deployed on target, load it into ssh-agent and you won't need -k...

$ ssh-add
Enter passphrase for .ssh/id_rsa:
identity added: .ssh/id_rsa

$ ansible all -i /tmp/hosts2ping -a id   # -k not needed
10.1.2.3 | SUCCESS | rc=0 >> uid=nnnn<non-root-account>.....

...ssh-agent does all the work.

You'll still need -Kb if doing root stuff on remote though, but won't get prompted for non-root password (as ssh-agent does that)...

$ ansible all -i /tmp/hosts2ping -a id -Kb   # -k not needed
SUDO password[defaults to SSH password]: <RETURN>
10.1.2.3 | SUCCESS | rc=0 >> uid=0(root).....

EDIT: Usually, sudo simply allows your non-root account to 'set user' as another, usually root itself. So, you're su'ing into the shared account to do privileged stuff? That should still work. Just change the 'become' options to specify the shared account (instead of defaulting to root), example:

$ ansible all -i /tmp/hosts2ping -a id -k -Kb --become-user=<shared-account>
SSH password: <enter password>
SUDO password[defaults to SSH password]: <RETURN>
10.1.2.3 | SUCCESS | rc=0 >> uid=43526(<shared-account>).....
Related Topic