Home / server / Questions / 1022237
In Process
RandomInsano
Asked: 2020-06-20 18:39:29 +0800 CST

Ansible not honouring `ssh-agent`?

  • 772

I seem to be having a problem where Ansible isn't using my SSH agent cache. I've run the following:

eval `ssh-agent`
ssh-add /tmp/key

Then I successfully log into one of the hosts from my inventory just fine:

ssh -i /tmp/key [email protected]

When using ansible on my Windows machine within WSL, the following ends with a weird single-line, triple ask (one for each in my inventory)

ansible --key-file /tmp/key -i ./hosts all -m ping

Output:

Enter passphrase for key '/tmp/key': Enter passphrase for key '/tmp/key': Enter passphrase for key '/tmp/key':
repo | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true
}


follower | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true
}


leader | UNREACHABLE! => {
    "changed": false,
    "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).",
    "unreachable": true
}

I believe Ansible should be using Paramiko for SSH but I assume it would talk with my SSH agent anyway. Any guesses why this isn't working?

This is also running on WSL on Windows 10 if that matters.

Here is the output with "-vvv":

ssh -C -o ControlMaster=auto -o ControlPersist=60s -o 'IdentityFile="/tmp/key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/mnt/c/Users/me/.ansible/cp/58691c2f88 1.2.3.4 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''

This times out when run from the command line

ansible ssh-agent

2 Answers

  1. Removing the passphrase altogether removes the prompt but I continue to recieve the same errors, so it may be that this is seen any time Ansible cannot authenticate to remote hosts?

    Ugh. PEBCAK. The problem is that Ansible is not using the correct user name here.

    For others, my workaround was to specify the user in the inventory:

    all:
  vars:
    ansible_user: "ec2-user"
  hosts:
    leader:
      ansible_host: 1.2.3.1
    follower:
      ansible_host: 1.2.3.2
    repo:
      ansible_host: 1.2.3.3
    • 0

  2. Don't specify the key file and Ansible will simply run and use the agent, but by supplying a key you're telling Ansible to user that key directly instead of the agent.

    • 0