I can't seem to get ansible to automatically pick up the SSH identity that I've added, and if I am prompted for the passphrase on my private key my passphrase seems to not be accepted, while the same passphrase is accepted when just SSH'ing without ansible. If I change the playbook to use the directives become: yes
, become_user: <Windows user>
and ansible_shell_type: cmd
the script runs, but I still have to enter the passphrase multiple times...
- Source host is Raspberry Pi running Debian Bullseye
- Destination host is Thinkpad T580 running Windows 11
β SSH without ansible
pi@raspberrypi:~ $ ssh-agent bash
pi@raspberrypi:~ $ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/pi/.ssh/id_rsa:
Identity added: /home/pi/.ssh/id_rsa (pi)
pi@raspberrypi:~ $ ssh [email protected]
...
Microsoft Windows [Version 10.0.22621.1265]
(c) Microsoft Corporation. All rights reserved.
my_user@MY_LAPTOP C:\Users\my_user>
// Works fine without any password or passphrase β
π§ /etc/ansible/ansible.cfg
[defaults]
host_key_checking = False
[ssh_connection]
ssh_args = -o ForwardAgent=yes
π§ /etc/ansible/hosts
[local]
my_laptop ansible_host=192.168.178.170 ansible_connection=ssh ansible_user=my_user
π§ ~/ansible/playbook.yml
---
- name: Fetch public key
hosts: my_laptop
gather_facts: yes
vars:
ansible_ssh_private_key_file: /home/my_user/.ssh/id_rsa # <- With or without?
tasks:
- name: Fetch temporary key
fetch:
src: ~/.ssh/id_rsa.pub
dest: /tmp/id_rsa.pub
flat: yes
β With ansible_ssh_private_key_file
:
I enter the passphrase 3 times, then it continues on to say there is no permission to create the /tmp/
directory
Enter passphrase for key '/home/my_user/.ssh/id_rsa':
Enter passphrase for key '/home/my_user/.ssh/id_rsa':
Enter passphrase for key '/home/my_user/.ssh/id_rsa':
fatal: [my_laptop]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to create temporary directory.In some cases, you may have been able to authenticate and did not have permissions on the target directory.
Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\", for more error information use -vvv.
Failed command was: ( umask 77 && mkdir -p \"` echo ~/.ansible/tmp `\"&& mkdir \"` echo ~/.ansible/tmp/ansible-tmp-1676947350.1170616-19638-181124692161141 `\" && echo ansible-tmp-1676947350.1170616-19638-181124692161141=\"` echo ~/.ansible/tmp/ansible-tmp-1676947350.1170616-19638-181124692161141 `\" ), exited with result 1",
"unreachable": true
}
β Without ansible_ssh_private_key_file
:
fatal: [my_laptop]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: [email protected]: Permission denied (publickey,password,keyboard-interactive).",
"unreachable": true
}
Windows Event Viewer Logs:
sshd: Connection closed by authenticating user my_user 192.168.178.20 port 42742 [preauth]
β Questions
- Why does it ask for a password when creating an ssh connection without ansible directly logging me in?
- Why does it say I have no permission?
- Answer: This was due to not using the
become
directive in combination with the correctbecome_user
(Windows username).
- Answer: This was due to not using the
- When it is talking about having no permission, is it referring to the source host
pi@raspberrypi
, or the destination hostmy_user@my_laptop
?- Answer: The destination host
my_user@my_laptop
.
- Answer: The destination host
- Do I need to create the var
ansible_ssh_private_key_file
in my playbook? Or should ansible automatically find the identity in thessh-agent
?
Thanks in advance.
β Update
I managed to some fix some issues;
- OpenSSH wasn't set up properly on my Windows machine. I found these Microsoft docs and this video very helpful
- My playbook was incorrect. Make sure the following directives are filled in when using a Windows-managed host with ansible:
become: yes
become_user: <Your Windows user>
ansible_shell_type: cmd
(Set tocmd
orpowershell
, but when usingpowershell
extra config is needed).
π§ ~/playbook.yml
so far:
---
- name: Fetch public key
hosts: my_laptop
gather_facts: yes
become: yes
become_user: my_user
vars_files:
- secrets.yml
vars:
ansible_ssh_private_key_file: /home/my_user/.ssh/id_rsa
ansible_shell_type: cmd
tasks:
- name: Fetch temporary key
fetch:
src: ~/.ssh/id_rsa.pub
dest: /tmp/id_rsa.pub
flat: yes
...
The script runs now but prompts me for the passphrase 3 times.
PLAY [Fetch public key] *************************************************************************************************************************************
TASK [Gathering Facts] **************************************************************************************************************************************
Enter passphrase for key '/home/my_user/.ssh/id_rsa':
ok: [my_laptop]
TASK [Fetch temporary key] **********************************************************************************************************************************
Enter passphrase for key '/home/my_user/.ssh/id_rsa':
Enter passphrase for key '/home/my_user/.ssh/id_rsa':
ok: [my_laptop]
PLAY RECAP **************************************************************************************************************************************************
my_laptop : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
β New questions:
- Why is it still asking the passphrase for the private key, and not taking it from ssh-agent?
- Why should i enter the passphrase 3 times, once while gathering facts and another two times while executing the task?
shell: ssh-agent -s .. register: output
thendebug, var=output
you'll see .../home/pi/.ssh/id_rsa
but in ansible you use/home/my_user/.ssh/id_rsa
. Which one did you ssh-add to the agent to unlock?