-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--ask-become-pass not working when fingerprint is enabled (not MFA) #80883
Comments
Files identified in the description:
If these files are incorrect, please update the |
I've done some investigation, since I was pretty sure the As such, I created a fake #!/bin/bash
echo "Place your finger on the fingerprint reader"
sleep 10
exec sudo "$@" And this works as I expected with the The Here is a diff that seems to resolve the issue: diff --git a/lib/ansible/plugins/connection/local.py b/lib/ansible/plugins/connection/local.py
index 0c769a4b2838e7..18ca7252164322 100644
--- a/lib/ansible/plugins/connection/local.py
+++ b/lib/ansible/plugins/connection/local.py
@@ -24,6 +24,7 @@
import pty
import shutil
import subprocess
+import time
import ansible.constants as C
from ansible.errors import AnsibleError, AnsibleFileNotFound
@@ -123,22 +124,18 @@ def exec_command(self, cmd, in_data=None, sudoable=True):
become_output = b''
try:
+ start = time.time()
while not self.become.check_success(become_output) and not self.become.check_password_prompt(become_output):
- events = selector.select(self._play_context.timeout)
- if not events:
- stdout, stderr = p.communicate()
+ if time.time() - start >= self._play_context.timeout:
raise AnsibleError('timeout waiting for privilege escalation password prompt:\n' + to_native(become_output))
+ events = selector.select(1)
for key, event in events:
- if key.fileobj == p.stdout:
- chunk = p.stdout.read()
- elif key.fileobj == p.stderr:
- chunk = p.stderr.read()
-
- if not chunk:
- stdout, stderr = p.communicate()
- raise AnsibleError('privilege output closed while waiting for password prompt:\n' + to_native(become_output))
- become_output += chunk
+ chunk = key.fileobj.read()
+ if not chunk:
+ selector.unregister(key.fileobj)
+ become_output += chunk
+ display.debug("output chunk:\n>>>%s<<<\n" % to_text(chunk))
finally:
selector.close()
I'm not immediately planning on working on this further right now, so this can be picked up by anyone who wants to test further, and put together a proper PR. |
Thanks so much for looking into it so fast! I could try to find some time next week to test it and open a PR. So about ssh: it must be the demo gods or something... I just ran the playbook over ssh to copy the output... and it worked. 10 seconds passed and the playbook was able to continue. I promise this wasn't working all week. |
Summary
If you've enabled auth with a fingerprint reader,
ansible-playbook
just hangs when it needs to become root.I found this issue that was dismissed as "Ansible does not support MFA": #73308
I looked through the mailing list and didn't see this person ask there.
But this is not about MFA.
sudo
asks you for a fingerprint and after a set timeout (10 seconds) falls back to password entry. The key here is that Ansible does not need to support fingerprint auth (although it would be nice), but it could wait for the timeout and then enter the password when prompted for it. But today, you can wait many times this timeout andansible-playbook
just hangs there. Below, I'll give very detailed repro steps.Workaround
I can clone my provision repo into the target machine, physically log in to it, change the
host
field fromall
tolocalhost
, and run the playbook from there. I'm actually doing that for all the output below. The same bug presents itself BUT whenansible-playbook
hangs trying to elevate, I can touch the fingerprint reader and that unblocks it 😆. Ansible outputs a warning about it. Here is the output of this workaround:Issue Type
Bug Report
Component Name
sudo? become: true
Ansible Version
Configuration
OS / Environment
Steps to Reproduce
If you have a fingerprint reader (required) and haven't enabled it yet, on Debian you can do this:
sudo apt install fprintd libpam-fprintd sudo pam-auth-update --package --enable fprintd sudo fprintd-enroll $USER
In /etc/pam.d/common-auth,
pam-auth-update
would have added a line like this:Now you can log in and sudo with your fingerprint. Here's a playbook that does something with elevated permissions:
I would run this like:
Expected Results
I expect the playbook to run to completion. Once the fingerprint entry times out, it asks for the password. That's when Ansible can entry the provided password.
Actual Results
Code of Conduct
The text was updated successfully, but these errors were encountered: