Ansible:"sudo:要求输入密码\ r \ n"； [英] Ansible: "sudo: a password is required\r\n"

问题描述

快速问题

我已经安装了一个名为test的Ubuntu服务器.我将authorized_keys复制到它，我可以ssh没问题. 如果我 $ ansible -m ping ubu1 ，我没问题得到回复

I have setup an Ubuntu server with a user named test. I copy the authorized_keys to it, I can ssh no problem. If I do $ ansible -m ping ubu1, no problem I get a response

    <i><p>ubu1 | SUCCESS => {
        <br>"changed": false, 
        <br>"ping": "pong"
    <br>}</i>

如果我知道的话，我不会得到的

What I dont get is this, If I do

$ ansible-playbook -vvvv Playbooks/htopInstall.yml

fatal: [ubu1]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_name": "setup"}, "module_stderr": "OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips  1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 6109\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to 192.168.1.112 closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false}

如果我执行 $ ansible-playbook --ask-sudo-pass Playbooks/htopInstall.yml ，那么它将询问我的用户密码，并且播放成功.

If I do $ ansible-playbook --ask-sudo-pass Playbooks/htopInstall.yml, then it ask my user password and the play is a success.

如果我重命名了authorized_keys，它会告诉我无法通过ssh连接到主机".没关系 我不明白的是为什么它要求输入sudo密码.我一路上肯定错过了一些东西.

If I rename the authorized_keys it tells me I "Failed to connect to the host via ssh." which is ok. What I dont understand is why is it asking for a sudo password. I definetly missed something along the way.

我的 ansible.cfg 文件看起来像这样

[defaults]
nocows = 1
inventory = ./Playbooks/hosts
remote_user = test
private_key_file = /home/test/.ssh/id_ubu
host_key_checking = false

我的主机文件看起来像这样

my hosts file looks like this

[servers]
ubu1 ansible_ssh_host=192.168.1.112 ansible_ssh_user=test

推荐答案

我不明白为什么它要求输入sudo密码.

What I dont understand is why is it asking for a sudo password.

我们不能肯定地说不看您的剧本，但这几乎可以肯定是因为a)您的剧本要求Ansible使用sudo(通过sudo或become指令)运行特定命令，并且b) test用户未启用无密码sudo.

We can't say for certain without seeing your playbook, but it's almost certainly because a) your playbook asks Ansible to run a particular command with sudo (via the sudo or become directives) and b) the test user does not have password-less sudo enabled.

听起来您很了解(a)，但对(b)感到困惑；具体来说，我要了解的是您不了解 ssh身份验证和 sudo身份验证之间的区别.同样，没有更多信息，我无法确定是否是这种情况，但是如果我猜对了，我将竭尽全力地解释它.

It sounds like you are aware of (a) but are confused about (b); specifically, what I'm picking up is that you don't understand the difference between ssh authentication and sudo authentication. Again, without more information I can't confirm if this is the case, but I'll take a stab at explaining it in case I guessed correctly.

当您通过ssh连接到计算机时，sshd通过两种主要方式对您进行身份验证并允许您以特定用户身份登录.第一种是要求输入帐户的密码，该密码将被移交给系统，并在正确的情况下允许登录.第二种是通过公共密钥密码，您在其中证明自己有权访问与~/.ssh/authorized_keys中的公钥指纹相对应的私钥.通过sshd的身份验证检查会为您提供在计算机上的外壳程序.

When you connect to a machine via ssh, there are two primary ways in which sshd authenticates you and allows you to log in as a particular user. The first is to ask for the account's password, which is hands off to the system, and allows a login if it was correct. The second is through public-key cryptography, in which you prove that you have access to a private key that corresponds to a public key fingerprint in ~/.ssh/authorized_keys. Passing sshd's authentication checks gives you a shell on the machine.

当您使用sudo调用命令时，您是在要求sudo将您的特权提升到超出该帐户通常获得的权限.这是一个完全不同的系统，在/etc/sudoers中定义了规则(您应该使用sudo visudo进行编辑)，这些规则控制允许哪些用户使用sudo，应该能够运行哪些命令，是否需要重新输入使用该命令时是否输入密码，以及其他各种配置选项.

When you invoke a command with sudo, you're asking sudo to elevate your privileges beyond what the account normally gets. This is an entirely different system, with rules defined in /etc/sudoers (which you should edit using sudo visudo) that control which users are allowed to use sudo, what commands they should be able to run, whether they need to re-enter their password or not when using the command, and a variety of other configuration options.

正常运行剧本时，Ansible会显示sudo提示，并且不知道如何继续-也不知道帐户密码.这就是为什么--ask-sudo-pass存在的原因:您将密码提供给Ansible，以便在出现提示时将其传递给sudo.如果您不想每次都键入此命令，并且已确定它在您的安全性参数之内，则允许任何以test用户身份登录的用户以root用户身份执行任何操作，那么您可以咨询man sudoers关于如何为该帐户设置无密码的sudo.

When you run the playbook normally, Ansible is presented with a sudo prompt and doesn't know how to continue - it doesn't know the account password. That's why --ask-sudo-pass exists: you're giving the password to Ansible so that it can pass it on to sudo when prompted. If you don't want to have to type this every time and you've decided it's within your security parameters to allow anyone logged in as the test user to perform any action as root, then you can consult man sudoers on how to set passwordless sudo for that account.

这篇关于Ansible:"sudo:要求输入密码\ r \ n"；的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！