I'm trying to automate google cloud virtual instances remotely only using external ip addresses of virtual machines. I can ssh into the virtual machines using command line with user name shishir9159_gmail_com . But If I use any ansible commands like this:
ansible -i hosts -u shishir9159_gmail_com --private-key=~/.ssh/google_compute_engine -m ping all
and it results in this following error:
"msg": "Failed to connect to the host via ssh: shishir9159#35.202.219.6: Permission denied (publickey,gssapi-keyex,gssapi-with-mic)."
I've added some parameters in my ansible.cfg:
host_key_checking = False
ssh_args = -o ControlMaster=no
But I don't think they do much of a help according to this post:
https://serverfault.com/questions/929222/ansible-where-do-preferredauthentications-ssh-settings-come-from
And I tried many methods and recommendations. I have a service account but it doesn't seem to me necessary for this simple ping command.
The problem is in the underscores of the user name. Try to add a username without underscore or try using quote.
I solved the problem by adding ansible_ssh_user and ansible_ssh_pass at the hosts file. This post contain the solution.
ansible SSH connection fail
Related
Here is my situation. I want to access a server through a jumpbox/bastion host.
so, I will login as normal user in jumpbox and then change user to root after that login to remote server using root. I dont have direct access to root in jumpbox.
$ ssh user#jumpbox
$ user#jumpbox:~# su - root
Enter Password:
$ root#jumpbox:~/ ssh root#remoteserver
Enter Password:
$ root#remoteserver:~/
Above is the manual workflow. I want to achieve this in ansible.
I have seen something like this.
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user#jumpbox"'
This doesnot work when we need to switch to root and login to remote server.
There are a few things to unpack here:
General Design / Issue:
This isn't an Ansible issue, it's an ssh issue/proxy misconfiguration.
A bastion host/ssh proxy isn't meant to be logged into and have commands ran directly on it interactively (like su - root, enter password, then ssh...). That's not really a bastion, that's just a server you're logging into and running commands on. It's not an actual ssh proxy/bastion/jump role. At that point you might as well just run Ansible on the host.
That's why things like ProxyJump and ProxyCommand aren't working. They are designed to work with ssh proxies that are configured as ssh proxies (bastions).
Running Ansible Tasks as Root:
Ansible can run with sudo during task execution (it's called "become" in Ansible lingo), so you should never need to SSH as the literal root user with Ansible (shouldn't ssh as root ever really).
Answering the question:
There are a lot of workarounds for this, but the straightforward answer here is to configure the jump host as a proper bastion and your issue will go away. An example...
As the bastion "user", create an ssh key pair, or use an existing one.
On the bastion, edit the users ~/.ssh/config file to access the target server with the private key and desired user.
EXAMPLE user#bastion's ~/.ssh/config (I cringe seeing root here)...
Host remote-server
User root
IdentityFile ~/.ssh/my-private-key
Add the public key created in step 1 to the target servers ~/.ssh/authorized_keys file for the user you're logging in as.
After that type of config, your jump host is working as a regular ssh proxy. You can then use ProxyCommand or ProxyJump as you had tried to originally without issue.
i'm new in ansible, i've installed it yesterday and i want to try to ping my remote host (hpe switch 5130).
I have an issue the host is unreachable and i don't know how to fix that.
The config
Here is the issue
The host
The ssh works fine but i can't use ansible :(
How do you ssh to your switch?
If you're using a password, add the "-k" option to the ansible command. It will ask you to enter your ssh password. Alternatively, set the ansible_password variable.
Also you should set some environment related vars, such as ansible_connection and ansible_network_os.
I'm trying to setup a an ssh tunnel with remote port forwarding. The idea is the have a VPS act as a means to ssh into remote deployed systems (which currently incorporate a Raspberry Pi). Everything seems to work, but I run into issues when trying to move all arguments into the ~/.ssh/config file.
what does work is the setting of the HostName, User, Port and IdentityFile. However setting the RemoteForward parameter does not seem to work.
The following works:
ssh -R 5555:localhost:22 ssh-tunnel
How ever when using the following line in the config file;
Host ssh-tunnel
...
RemoteForward 5555 localhost:22
The following command returns the message "Bad remote forwarding specification 'ssh-tunnel'"
ssh -R ssh-tunnel
Obvious I found the answer almost immediately after posting the question. Using the -R flag requires you to set the remote forwarding in the command line call. However because remote forwarding is set in the config file you shouldn't add it to the command. However something confusing occurs in that aside from setting up the tunnel you also ssh into the remote server. To avoid this add the -f and the -N flag. This results in the following command:
ssh -f -N ssh-tunnel
I would like to run an ansible playbook on a target host passing through multiple hosts. The scenario looks similar to the one depicted in the picture:
I partially solved issue creating the ssh_config file in the Ansible project directory:
Host IP_HostN
HostName IP_HOST_N
ProxyJump Username1#IP_HOST_2:22,Username2#IP_HOST_2:22
User UsernameN
and defining in the ansible.cfg in the Ansible project directory:
[ssh_connection]
ssh_args= -F "ssh_config"
The problem is that I need to insert automatically for each transient hosts and target host ssh username and password and I don't know how to automate this task. Moreover, python may not be installed on every transient node.
I found a reasonably good workaround. According to the scenario below:
we create an ssh tunnel until the transient host that can directly reach the target host. We also create a local port binding with -L flag:
ssh -J user_1#transient_host1:port_1 -p port_2 user_2#transient_host2 -L LOCAL_PORT:TARGET_HOST_IP:TARGET_HOST_PORT
Then we can directly enter into Target Host using the local binding:
ssh user_target_host#localhost -p LOCAL_PORT
In this way, we can run ansible playbooks on the local host configuring ansible variables accordingly:
ansible_host: localhost
ansible_user: user_target_host
ansible_port: LOCAL_PORT
ansible_password: password_target_host
I am brand new to learning Ansible. Here is a pretty easy example.
I have computer A, where I will be running playbooks from.
And 10 other host machines that need to be configured. My question is, do I just need to put the public SSH key of my host machine on the 10 hosts in ~/.ssh/authorized_keys ?
I guess my understanding of how to efficiently setup SSH connections between my main computer and all the clients is a little fuzzy. Any help would be appreciated here.
You create a file called hosts with this content
[test-vms]
10.0.0.100 ansible_ssh_pass='password' ansible_ssh_user='username'
In above hosts file leave off ansible_ssh_pass='password' if using ssh keys ... Then you can create a playbook with the commands and call the playbook like below. The first line of the playbook needs to have the hosts declaration
---
- hosts: test-vms
tasks:
-name: "This is a test task"
command: /bin/hostname
Finally, you call the playbook like this
ansible-playbook -i <hosts-file> <playbook.yaml>
Ansible simply uses SSH so you can either copy the public key as you describe or use password authentication using the --user and --ask-pass flags.
Yes. As far as connection to hosts go, Ansible sets up SSH connection between the master machine and the host machines. You have to add the SSH fingerprints to the end machines. You can always skip the Are you sure you want to continue connecting (yes/no/[fingerprint]) step i.e., adding the fingerprints to .ssh/known_hosts by setting host_key_checking=false
I found this great video for initial Ansible Setup - https://youtu.be/-Q4T9wLsvOQ - maybe this can help!