Ssh
Ansible 訪問 Github:成為原因 Permission denied (publickey)
客觀的
想了解為什麼使用成為ansible 使用者導致“權限被拒絕(公鑰)”的機制。
使用者ansible執行 ansible-playbook 以簽出 Github 儲存庫。SSH 密鑰已使用 ssh-copy-id 與使用者一起複製。
沒有成為,劇本執行。
[ansible@ip-172-31-39-108 playbooks]$ whoami ansible [ansible@ip-172-31-39-108 playbooks]$ ansible-playbook git.yml PLAY [Git example] ************************************************************* TASK [setup] ******************************************************************* ok: [ub01] TASK [check out the repository on the host] ************************************ changed: [ub01] PLAY RECAP ********************************************************************* ub01 : ok=2 changed=1 unreachable=0 failed=0
但是,使用***“成為:是”***會導致錯誤。
[ansible@ip-172-31-39-108 playbooks]$ ansible-playbook git.yml PLAY [Git example] ************************************************************* TASK [setup] ******************************************************************* ok: [ub01] TASK [check out the repository on the host] ************************************ fatal: [ub01]: FAILED! => {"changed": false, "cmd": "/usr/bin/git clone --origin origin '' /home/ansible/project/mezzanine-example", "failed": true, "msg": "Cloning into '/home/ansible/project/mezzanine-example'...\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Cloning into '/home/ansible/project/mezzanine-example'...\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []} to retry, use: --limit @/home/ansible/playbooks/git.retry PLAY RECAP ********************************************************************* ub01 : ok=1 changed=0 unreachable=0 failed=1
ssh-agent 正在執行並且已添加私鑰。
[ansible@ip-172-31-39-108 playbooks]$ eval $(ssh-agent -s) Agent pid 1513 [ansible@ip-172-31-39-108 playbooks]$ ssh-add ~/.ssh/id_rsa Identity added: /home/ansible/.ssh/id_rsa (/home/ansible/.ssh/id_rsa)
問題
請解釋為什麼會發生這種情況或指向要調查的資源。
此外,我只在執行 ansible-playbook 的伺服器上啟動了 ssh-agent,而不是在目標伺服器上啟動。Github SSH 身份驗證如何在目標伺服器上發生?
劇本
- name: Git example hosts: webservers become: no # <----- Changing to yes cause the issue become_user: ansible become_method: sudo vars: repo_url: git@github.com:lorin/mezzanine-example.git proj_dirname: /home/ansible/project proj_name: mezzanine-example proj_path: "{{ proj_dirname }}/{{ proj_name }}" tasks: - name: check out the repository on the host git: repo={{ repo_url }} dest={{ proj_path }} accept_hostkey=yes
配置
主機
[webservers] ub01 #rh01
ansible.cfg
[ssh_connection] ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes
環境
Ansible playbook 在 RedHat 上執行。
NAME="Red Hat Enterprise Linux Server" VERSION="7.3 (Maipo)"
目標主機是 Ubuntu。
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"
相關問題
- Ansible with Github:權限被拒絕(Publickey)
- 如何修復“權限被拒絕(公鑰)”。Ansible 和“git clone”問題
- 從另一個非 root 使用者訪問 SSH_AUTH_SOCK
控制台 -vvvvv 輸出
TASK [check out the repository on the host] ************************************ task path: /home/ansible/playbooks/git.yml:12 Using module file /usr/lib/python2.7/site-packages/ansible/modules/core/source_control/git.py <ub01> ESTABLISH SSH CONNECTION FOR USER: None <ub01> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)(-o)(ForwardAgent=yes) <ub01> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no) <ub01> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <ub01> SSH: PlayContext set ssh_common_args: () <ub01> SSH: PlayContext set ssh_extra_args: () <ub01> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r) <ub01> SSH: EXEC ssh -vvv -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r ub01 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo /tmp/ansible-tmp-1485919043.94-240537002849590 `" && echo ansible-tmp-1485919043.94-240537002849590="` echo /tmp/ansible-tmp-1485919043.94-240537002849590 `" ) && sleep 0'"'"'' <ub01> PUT /tmp/tmpAjaOMc TO /tmp/ansible-tmp-1485919043.94-240537002849590/git.py <ub01> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)(-o)(ForwardAgent=yes) <ub01> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no) <ub01> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <ub01> SSH: PlayContext set ssh_common_args: () <ub01> SSH: PlayContext set sftp_extra_args: () <ub01> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r) <ub01> SSH: EXEC sftp -b - -vvv -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r '[ub01]' <ub01> ESTABLISH SSH CONNECTION FOR USER: None <ub01> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)(-o)(ForwardAgent=yes) <ub01> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no) <ub01> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <ub01> SSH: PlayContext set ssh_common_args: () <ub01> SSH: PlayContext set ssh_extra_args: () <ub01> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r) <ub01> SSH: EXEC ssh -vvv -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r ub01 '/bin/sh -c '"'"'setfacl -m u:ansible:r-x /tmp/ansible-tmp-1485919043.94-240537002849590/ /tmp/ansible-tmp-1485919043.94-240537002849590/git.py && sleep 0'"'"'' <ub01> ESTABLISH SSH CONNECTION FOR USER: None <ub01> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)(-o)(ForwardAgent=yes) <ub01> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no) <ub01> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <ub01> SSH: PlayContext set ssh_common_args: () <ub01> SSH: PlayContext set ssh_extra_args: () <ub01> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r) <ub01> SSH: EXEC ssh -vvv -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r -tt ub01 '/bin/sh -c '"'"'sudo -H -S -n -u ansible /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-cxuzmrsbxdvydelfnjrsmgvocgkeptxd; /usr/bin/python /tmp/ansible-tmp-1485919043.94-240537002849590/git.py'"'"'"'"'"'"'"'"' && sleep 0'"'"'' <ub01> ESTABLISH SSH CONNECTION FOR USER: None <ub01> SSH: ansible.cfg set ssh_args: (-o)(ControlMaster=auto)(-o)(ControlPersist=60s)(-o)(ForwardAgent=yes) <ub01> SSH: ansible_password/ansible_ssh_pass not set: (-o)(KbdInteractiveAuthentication=no)(-o)(PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey)(-o)(PasswordAuthentication=no) <ub01> SSH: ANSIBLE_TIMEOUT/timeout set: (-o)(ConnectTimeout=10) <ub01> SSH: PlayContext set ssh_common_args: () <ub01> SSH: PlayContext set ssh_extra_args: () <ub01> SSH: found only ControlPersist; added ControlPath: (-o)(ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r) <ub01> SSH: EXEC ssh -vvv -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o ConnectTimeout=10 -o ControlPath=/home/ansible/.ansible/cp/ansible-ssh-%h-%p-%r ub01 '/bin/sh -c '"'"'rm -f -r /tmp/ansible-tmp-1485919043.94-240537002849590/ > /dev/null 2>&1 && sleep 0'"'"'' fatal: [ub01]: FAILED! => { "changed": false, "cmd": "/usr/bin/git clone --origin origin '' /home/ansible/project/mezzanine-example", "failed": true, "invocation": { "module_args": { "accept_hostkey": true, "bare": false, "clone": true, "depth": null, "dest": "/home/ansible/project/mezzanine-example", "executable": null, "force": false, "key_file": null, "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "git@github.com:lorin/mezzanine-example.git", "ssh_opts": null, "track_submodules": false, "umask": null, "update": true, "verify_commit": false, "version": "HEAD" }, "module_name": "git" }, "msg": "Cloning into '/home/ansible/project/mezzanine-example'...\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Cloning into '/home/ansible/project/mezzanine-example'...\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": [] } to retry, use: --limit @/home/ansible/playbooks/git.retry PLAY RECAP ********************************************************************* ub01 : ok=1 changed=0 unreachable=0 failed=1
更新
感謝@Jakuje 和其他文章的回答,了解到 SSH 代理偵聽 UNIX 套接字文件。文件名儲存在 SSH_AUTH_SOCK 環境變數中。但是,SUDO 消除了環境變數,因此 sudo-ed SSH 客戶端不知道如何與 SSH 代理通信。因此,無法通過 SSH 認證。
解決方案在@Jakuje 提供的文章中。
當您轉發
ssh-agent
套接字時,它是使用正在連接的使用者的權限創建的。become
後來ansible
使用 將使用者更改為其他使用者(ansible
)sudo
,這導致:
- 目標使用者無權訪問轉發的套接字
- 環境變數“保持連接”到代理套接字在期間不保留
sudo
如果目標使用者是
root
,第一個應該沒有問題。第二個問題可以通過/etc/sudoers
在伺服器上修改有一行來解決Defaults env_keep += "SSH_AUTH_SOCK"
在 SO 上的文章中對此進行了進一步解釋。
克服第二個問題將更加複雜,因為您不希望所有使用者都可以使用轉發的套接字。您是否考慮過以使用者身份直接連接
ansible
?