search

spurin / diveintoansible-lab

Dive Into Ansible Lab
776 stars 494 forks source link

Ansible user unable to connect to hosts #110

Closed fox27374 closed 2 months ago

fox27374 commented 1 year ago

Hi, when connected to the ubuntu-c machine, its not possible for ansible to build a SSH connection to the hosts. A normal, password bases SSH connection is possible.

There is no private key for the ansible user:

ansible@ubuntu-c:~/diveintoansible/Ansible Architecture and Design/Inventories/03$ ls -la ~/.ssh/
drwx------  3 ansible ansible   96 Jan 23 13:35 .
drwxr-xr-x 11 ansible ansible  352 Jan 23 13:39 ..
-rw-r--r--  1 ansible ansible 2664 Jan 23 13:44 known_hosts

When configuring the username and password in the ansible.cfg or hosts file, I get the following error:

ansible@ubuntu-c:~/diveintoansible/Ansible Architecture and Design/Inventories/03$ ansible all -m ping
centos1 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ansible@centos1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

Here some more verbose output:

ansible@ubuntu-c:~/diveintoansible/Ansible Architecture and Design/Inventories/03$ ansible all -m ping -vvv
ansible [core 2.12.3]
  config file = /home/ansible/diveintoansible/Ansible Architecture and Design/Inventories/03/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/dist-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.8.10 (default, Nov 26 2021, 20:14:08) [GCC 9.3.0]
  jinja version = 3.0.3
  libyaml = True
Using /home/ansible/diveintoansible/Ansible Architecture and Design/Inventories/03/ansible.cfg as config file
host_list declined parsing /home/ansible/diveintoansible/Ansible Architecture and Design/Inventories/03/hosts as it did not pass its verify_file() method
auto declined parsing /home/ansible/diveintoansible/Ansible Architecture and Design/Inventories/03/hosts as it did not pass its verify_file() method
Parsed /home/ansible/diveintoansible/Ansible Architecture and Design/Inventories/03/hosts inventory source with ini plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
META: ran handlers
<centos1> ESTABLISH SSH CONNECTION FOR USER: ansible
<centos1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="ansible"' -o ConnectTimeout=10 -o 'ControlPath="/dev/shm/4913f9b9ed"' centos1 '/bin/sh -c '"'"'echo ~ansible && sleep 0'"'"''
<centos2> ESTABLISH SSH CONNECTION FOR USER: None
<centos2> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o 'ControlPath="/dev/shm/42a7aa40a0"' centos2 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<centos3> ESTABLISH SSH CONNECTION FOR USER: None
<centos3> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o 'ControlPath="/dev/shm/6360373fbb"' centos3 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<centos1> (255, b'', b'ansible@centos1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n')
<ubuntu1> ESTABLISH SSH CONNECTION FOR USER: None
<ubuntu1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o 'ControlPath="/dev/shm/492fe51149"' ubuntu1 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
centos1 | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: ansible@centos1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).",
    "unreachable": true
}

So either the "PasswordAuthentication" in the ansible config should be set to "yes", or certificates should be generated before the start of the docker containers as it is done in the Google Cloud Shell version.

fox27374 commented 1 year ago

Adding the certificate generation to the documentation would fix the issue:

cp -rf \
    ${HOME}/diveintoansible-lab/config/guest_ssh \
    ${HOME}/diveintoansible-lab/config/root_ssh; \
    cp -rf \
    ${HOME}/diveintoansible-lab/config/guest_ssh.pub \
    ${HOME}/diveintoansible-lab/config/root_ssh.pub
spurin commented 2 months ago

Late response, given that the Google Cloud Shell environment is typically ephemeral that is why the keys are auto created in that environment vs the local lab which should be persistent, however, good feedback, will think how this could be improved / automated. Maybe a script for those who dont want to wish to repeat this given that the ssh keys section is a learning process.