New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Public key should not be required #345

Open
dominicast opened this Issue Aug 16, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@dominicast

dominicast commented Aug 16, 2018

Mitogen needs to have a public key named *.pub laying beside the private key. That is not required for a shell ssh client if the target knows the public key in it's authorized_key and I do not even see a reason why this should be required.

I use mitogen version 0.2.2, python version 2.7.12 and ansible version 2.6.1 on Ubuntu 16.04.

Feel free to write an issue in your preferred format, however if in doubt, use
the following checklist as a guide for what to include.

DEFAULT_STRATEGY(/etc/ansible/ansible.cfg) = mitogen_linear
DEFAULT_STRATEGY_PLUGIN_PATH(/etc/ansible/ansible.cfg) = [u'/opt/mitogen-0.2.2/ansible_mitogen/plugins/strategy']

@dw

This comment has been minimized.

Owner

dw commented Aug 17, 2018

Hi, thanks for reporting. This shouldn't be necessary, it sounds like some environment difference in your setup due to the extension.

Can you please tell me:

  • Do you have "$SSH_AUTH_SOCK" set in your environment where you run Ansible? (i.e. is ssh-agent running and available)
  • Does the agent have your keys added to it?
  • Does your Ansible config specify any variables like ansible_ssh_private_key_file to specify an explicit key?

Thanks :)

@dominicast

This comment has been minimized.

dominicast commented Aug 17, 2018

I see this behaviour in two differen environments (all I tried):

If the .pub file is not available I get the following error:

TASK [Gathering Facts] **************************************************************************************************************************************************************************************************************
fatal: [madrid2s.switch.ch]: UNREACHABLE! => {"changed": false, "msg": "Connection timed out.", "unreachable": true}
fatal: [warsaw2s.switch.ch]: UNREACHABLE! => {"changed": false, "msg": "Connection timed out.", "unreachable": true}

Case 1 runing on a RedHat server:

ssh-agent is not available at first. Then I explicitely start a ssh-agent, add the key and specify the private-key-file explicitely. I only add the private key file to the ssh-agent, not the public key but still the .pub file must be available for this to work.

ssh-agent bash
ssh-add path-to-private-key-file
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i "./ansible/inventories/dev/inventory.yml" --key-file ./.ssh/dast -u dast --extra-vars "ansible_sudo_pass=XXXXX" --vault-password-file "./open_the_vault" ./ansible/cd.yml

Case 2 running on my local Ubuntu host:

ssh-agent is available out of the box and my

echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh

It looks like no keys are added:

ssh-add -l
The agent has no identities.

But I have to enter the password of the private key file after running the ansible playbook like this:

ansible-playbook -i "./ansible/inventories/regapp/stage/auto.sh" --extra-vars "ansible_sudo_pass=HkmHh8ac" --vault-password-file "./open_the_vault" ./ansible/eppint.yml

Probably it adds my default keys to the subprocess loosing the information after finishing the task. Even this works only if the .pub file is available. In fact I have not yet seen a situation where it works without.

@dw

This comment has been minimized.

Owner

dw commented Aug 17, 2018

Mitogen configures ssh with "IdentitiesOnly" when an explicit key is specified -- I'm wondering if at least in case #1, if agent authentication is actually happening with regular Ansible even though an explicit key was given.

That's a bug one way or another -- we shouldn't enable IdentitiesOnly by default.

Case #2 -- let me set up a few reproductions to figure out what's going on. Mitogen has no support for prompting for a passphrase just now, but there's another bug open for it, so potentially this is the same issue.

@dominicast

This comment has been minimized.

dominicast commented Aug 17, 2018

Case #2 works even with mitogen enabled as long as the public key is available - It's not ansible or mirogen who asks for the private-key-password but Ubuntu as it is a window popping up probably as soon as one try to access the private key

@dw dw added the user-reported label Sep 12, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment