Public key should not be required

[dominicast]

Mitogen needs to have a public key named *.pub laying beside the private key. That is not required for a shell ssh client if the target knows the public key in it's authorized_key and I do not even see a reason why this should be required.

I use mitogen version 0.2.2, python version 2.7.12 and ansible version 2.6.1 on Ubuntu 16.04.

Feel free to write an issue in your preferred format, however if in doubt, use
the following checklist as a guide for what to include.

DEFAULT_STRATEGY(/etc/ansible/ansible.cfg) = mitogen_linear
DEFAULT_STRATEGY_PLUGIN_PATH(/etc/ansible/ansible.cfg) = [u'/opt/mitogen-0.2.2/ansible_mitogen/plugins/strategy']

[dw]

Hi, thanks for reporting. This shouldn't be necessary, it sounds like some environment difference in your setup due to the extension.

Can you please tell me:

• Do you have "$SSH_AUTH_SOCK" set in your environment where you run Ansible? (i.e. is ssh-agent running and available)
• Does the agent have your keys added to it?
• Does your Ansible config specify any variables like ansible_ssh_private_key_file to specify an explicit key?

Thanks :)

[dominicast]

I see this behaviour in two differen environments (all I tried):

If the .pub file is not available I get the following error:

TASK [Gathering Facts] **************************************************************************************************************************************************************************************************************
fatal: [madrid2s.switch.ch]: UNREACHABLE! => {"changed": false, "msg": "Connection timed out.", "unreachable": true}
fatal: [warsaw2s.switch.ch]: UNREACHABLE! => {"changed": false, "msg": "Connection timed out.", "unreachable": true}

Case 1 runing on a RedHat server:

ssh-agent is not available at first. Then I explicitely start a ssh-agent, add the key and specify the private-key-file explicitely. I only add the private key file to the ssh-agent, not the public key but still the .pub file must be available for this to work.

ssh-agent bash
ssh-add path-to-private-key-file
export ANSIBLE_HOST_KEY_CHECKING=False
ansible-playbook -i "./ansible/inventories/dev/inventory.yml" --key-file ./.ssh/dast -u dast --extra-vars "ansible_sudo_pass=XXXXX" --vault-password-file "./open_the_vault" ./ansible/cd.yml

Case 2 running on my local Ubuntu host:

ssh-agent is available out of the box and my

echo $SSH_AUTH_SOCK
/run/user/1000/keyring/ssh

It looks like no keys are added:

ssh-add -l
The agent has no identities.

But I have to enter the password of the private key file after running the ansible playbook like this:

ansible-playbook -i "./ansible/inventories/regapp/stage/auto.sh" --extra-vars "ansible_sudo_pass=HkmHh8ac" --vault-password-file "./open_the_vault" ./ansible/eppint.yml

Probably it adds my default keys to the subprocess loosing the information after finishing the task. Even this works only if the .pub file is available. In fact I have not yet seen a situation where it works without.

[dw]

Mitogen configures ssh with "IdentitiesOnly" when an explicit key is specified -- I'm wondering if at least in case #1, if agent authentication is actually happening with regular Ansible even though an explicit key was given.

That's a bug one way or another -- we shouldn't enable IdentitiesOnly by default.

Case #2 -- let me set up a few reproductions to figure out what's going on. Mitogen has no support for prompting for a passphrase just now, but there's another bug open for it, so potentially this is the same issue.

[dominicast]

Case #2 works even with mitogen enabled as long as the public key is available - It's not ansible or mirogen who asks for the private-key-password but Ubuntu as it is a window popping up probably as soon as one try to access the private key