search

UdelaRInterior / ansible-backuppc-client

Backuppc client with ansible
3 stars 0 forks source link

Error adding known keys #6

Open santiagomr opened 4 years ago

santiagomr commented 4 years ago

I'm having an error in this task that I still can't fully understand but I can solve

https://github.com/UdelaRInterior/ansible-backuppc-client/blob/4b71900c0548b3d518524a8e61949e5008837f16/tasks/ssh.yml#L45

From the previous task, the ssh_known_host_results variable is set with the following value:

TASK [backuppc_client : debug] *****************************************************************************************************
ok: [client.santiagomr.com -> server.santiagomr.com] => {
    "ssh_known_host_results": {
        "changed": true, 
        "cmd": [
            "ssh-keyscan", 
            "-p", 
            "6159", 
            "client.santiagomr.com"
        ], 
        "delta": "0:00:00.042840", 
        "end": "2020-08-06 22:58:45.958496", 
        "failed": false, 
        "rc": 0, 
        "start": "2020-08-06 22:58:45.915656", 
        "stderr": "# client.santiagomr.com:6159 SSH-2.0-OpenSSH_7.9p1 Debian-10\n# client.santiagomr.com:6159 SSH-2.0-OpenSSH_7.9p1 Debian-10\n# client.santiagomr.com:6159 SSH-2.0-OpenSSH_7.9p1 Debian-10", 
        "stderr_lines": [
            "# client.santiagomr.com:6159 SSH-2.0-OpenSSH_7.9p1 Debian-10", 
            "# client.santiagomr.com:6159 SSH-2.0-OpenSSH_7.9p1 Debian-10", 
            "# client.santiagomr.com:6159 SSH-2.0-OpenSSH_7.9p1 Debian-10"
        ], 
        "stdout": "[client.santiagomr.com]:6159 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn2KI6zKR2G7xFshnC8dkmwW48vI2MFeBLGk0CeOoR+MAbRp0Fmf9euJWcWNefBriR8RgrO1fR68iPr9yVnoy6+xmG5wMQr97OAawxTlcx89lS/mxidQ7j9gNBgpdzzFHqPMBdvse+4C1kO/gvxPeyafnf3d454DOZkO6xcJdc8/taqToTKaAc9HJuEJYGhgOrXmLAdEI8zfBUKMDqPl3WnGvIEUx0QOykZnv6TRFM8nKOSUEMN5Tqpdsd0YEgnTza0+PyIHRUY1BhLxHWJGPS6ZFPQ0ezCOgrKxZvhJQYvUm/L3/KkB6KEHIHOZCZPKBb4xBoaVHTcK8dPLUkmA/j\n[client.santiagomr.com]:6159 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNT3M+e1CioMBnZ42ohfQIr/Nz+xrP71FIM1iK0pa23Te9ynAsLss9huxQoNWxn4jfugARNys3W1CQcBHHIT3DE=\n[client.santiagomr.com]:6159 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo+TDP7ZRsuqv9o+g5rnDhZRa8TpyWF0YzjNPO5IRsr", 
        "stdout_lines": [
            "[client.santiagomr.com]:6159 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn2KI6zKR2G7xFshnC8dkmwW48vI2MFeBLGk0CeOoR+MAbRp0Fmf9euJWcWNefBriR8RgrO1fR68iPr9yVnoy6+xmG5wMQr97OAawxTlcx89lS/mxidQ7j9gNBgpdzzFHqPMBdvse+4C1kO/gvxPeyafnf3d454DOZkO6xcJdc8/taqToTKaAc9HJuEJYGhgOrXmLAdEI8zfBUKMDqPl3WnGvIEUx0QOykZnv6TRFM8nKOSUEMN5Tqpdsd0YEgnTza0+PyIHRUY1BhLxHWJGPS6ZFPQ0ezCOgrKxZvhJQYvUm/L3/KkB6KEHIHOZCZPKBb4xBoaVHTcK8dPLUkmA/j", 
            "[client.santiagomr.com]:6159 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNT3M+e1CioMBnZ42ohfQIr/Nz+xrP71FIM1iK0pa23Te9ynAsLss9huxQoNWxn4jfugARNys3W1CQcBHHIT3DE=", 
            "[client.santiagomr.com]:6159 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDo+TDP7ZRsuqv9o+g5rnDhZRa8TpyWF0YzjNPO5IRsr"
        ]
    }
}

However I get the following error:

TASK [backuppc_client : KNOWN_HOSTS | add or update client key to known_hosts in server] *******************************************************************************************************
fatal: [client.santiagomr.com -> server.santiagomr.com]: FAILED! => {"changed": false, "msg": "Host parameter does not match hashed host field in supplied key"}

Indicating hash_host: yes in the task (default value isno) I don't get an error and can complete the role execution.

Note: I am running on LXC containers of the same Debian Buster image on both sides

santiagomr commented 4 years ago

As a parallel comment. It doesn't seem entirely correct to ignore errors here:

https://github.com/UdelaRInterior/ansible-backuppc-client/blob/4b71900c0548b3d518524a8e61949e5008837f16/tasks/ssh.yml#L43

the next task depends on the correct definition of that variable.

ulvida commented 4 years ago 
TASK [backuppc_client : KNOWN_HOSTS | add or update client key to known_hosts in server] *******************************************************************************************************
fatal: [client.santiagomr.com -> server.santiagomr.com]: FAILED! => {"changed": false, "msg": "Host parameter does not match hashed host field in supplied key"}

I don't think this error is systematic, but it's good to test it in all the situations, because this task is now supposed to add or update the key. In which situation do you have this error? Didn't you previousely accessed the server with ssh command?

Indicating hash_host: yes in the task (default value isno) I don't get an error and can complete the role execution.

Indeed, I noticed that this module stores in clear the hostname in the known_hosts. In old versions, ssh used to update this file in this way, but since quite a time it does hash the hostname (for privacy, better not knowing what site people visit...). So certainly you are right, better to always hash the hostname. But I would like to understand what happend, because I don't see where is the "hashed host field in supplied key".

ulvida commented 4 years ago

As a parallel comment. It doesn't seem entirely correct to ignore errors here: https://github.com/UdelaRInterior/ansible-backuppc-client/blob/4b71900c0548b3d518524a8e61949e5008837f16/tasks/ssh.yml#L43 the next task depends on the correct definition of that variable.

You're right. What I should have put here is changed_when: false.