使用 Ansible 进行 SSH 代理转发 [英] SSH Agent Forwarding with Ansible

问题描述

我将 Ansible 1.5.3 和 Git 与 ssh 代理转发一起使用(https://help.github.com/articles/using-ssh-agent-forwarding).我可以登录到我使用 Ansible 管理的服务器并测试我与 git 的连接是否正确配置:

I’m using Ansible 1.5.3 and Git with ssh agent forwarding (https://help.github.com/articles/using-ssh-agent-forwarding). I can log into the server that I am managing with Ansible and test that my connection to git is correctly configured:

ubuntu@test:~$ ssh -T git@github.com
Hi gituser! You've successfully authenticated, but GitHub does not provide shell access.

我还可以使用此帐户克隆和更新我的一个存储库，因此当我通过 ssh 直接登录到我的服务器时，我的 git 配置看起来不错并且使用了 ssh 转发.

I can also clone and update one of my repos using this account so my git configuration looks good and uses ssh forwarding when I log into my server directly via ssh.

问题:当我使用 Ansible 命令模块尝试上面显示的相同测试时.它因权限被拒绝"而失败.Ansible 输出的一部分(带有详细日志记录)如下所示:

The problem: When I attempt the same test shown above using the Ansible command module. It fails with "Permission denied". Part of the Ansible output (with verbose logging) looks like this:

failed: [xxx.xxxxx.com] => {"changed": true, "cmd": ["ssh", "-T", "git@github.com"], "delta": "0:00:00.585481", "end": "2014-06-09 14:11:37.410907", "rc": 255, "start": "2014-06-09 14:11:36.825426"}
stderr: Permission denied (publickey).

这是运行此命令的简单剧本:

Here is the simple playbook that runs this command:

- hosts: webservers
  sudo: yes
  remote_user: ubuntu

  tasks:

  - name: Test that git ssh connection is working.
    command: ssh -T git@github.com

问题:为什么当我通过 ssh 手动登录并运行命令时一切正常，但在通过 Ansible 以同一用户身份运行相同命令时失败?

The question: why does everything work correctly when I manually log in via ssh and run the command but fail when the same command is run as the same user via Ansible?

如果没有其他人打败我，我会尽快发布答案.尽管我使用 git 来演示该问题，但任何依赖于 ssh 代理转发的模块都可能发生该问题.它不是 Ansible 特有的，但我怀疑很多人会在这种情况下首先遇到这个问题.

I will post the answer shortly if no one else beats me to it. Although I am using git to demonstrate the problem, it could occur with any module that depends on ssh agent forwarding. It is not specific to Ansible but I suspect many will first encounter the problem in this scenario.

推荐答案

通过从剧本中删除这一行来解决问题:

The problem is resolved by removing this line from the playbook:

sudo: yes

在远程主机上运行sudo时，登录时ssh设置的环境变量不再可用.特别是 SSH_AUTH_SOCK，它标识用于与代理通信的 UNIX 域套接字的路径"不再可见，因此 ssh 代理转发不起作用.

When sudo is run on the remote host, the environment variables set by ssh during login are no longer available. In particular, SSH_AUTH_SOCK, which "identifies the path of a UNIX-domain socket used to communicate with the agent" is no longer visible so ssh agent forwarding does not work.

在不需要时避免使用 sudo 是解决问题的一种方法.另一种方法是通过创建 sudoers 文件来确保 SSH_AUTH_SOCK 在您的 sudo 会话期间保持不变:

Avoiding sudo when you don't need it is one way to work around the problem. Another way is to ensure that SSH_AUTH_SOCK sticks around during your sudo session by creating a sudoers file:

/etc/sudoers:

     Defaults    env_keep += "SSH_AUTH_SOCK"

这篇关于使用 Ansible 进行 SSH 代理转发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！