Ansible:“sudo:需要密码\r\n"； [英] Ansible: "sudo: a password is required\r\n"

问题描述

快速提问

我已经设置了一个名为 test 的用户的 Ubuntu 服务器.我将authorized_keys复制到它，我可以ssh没问题.如果我执行 $ ansible -m ping ubu1，没问题我会得到回复

I have setup an Ubuntu server with a user named test. I copy the authorized_keys to it, I can ssh no problem. If I do $ ansible -m ping ubu1, no problem I get a response

    <i><p>ubu1 | SUCCESS => {
        <br>"changed": false, 
        <br>"ping": "pong"
    <br>}</i>

我不明白的是，如果我这样做

What I dont get is this, If I do

$ ansible-playbook -vvvv Playbooks/htopInstall.yml

fatal: [ubu1]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_name": "setup"}, "module_stderr": "OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g-fips  1 Mar 2016\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 19: Applying options for *\r\ndebug1: auto-mux: Trying existing master\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug2: mux_client_hello_exchange: master version 4\r\ndebug3: mux_client_forwards: request forwardings: 0 local, 0 remote\r\ndebug3: mux_client_request_session: entering\r\ndebug3: mux_client_request_alive: entering\r\ndebug3: mux_client_request_alive: done pid = 6109\r\ndebug3: mux_client_request_session: session request sent\r\ndebug1: mux_client_request_session: master session id: 2\r\ndebug3: mux_client_read_packet: read header failed: Broken pipe\r\ndebug2: Received exit status from master 1\r\nShared connection to 192.168.1.112 closed.\r\n", "module_stdout": "sudo: a password is required\r\n", "msg": "MODULE FAILURE", "parsed": false}

如果我执行 $ ansible-playbook --ask-sudo-pass Playbooks/htopInstall.yml，那么它会询问我的用户密码并且播放成功.

If I do $ ansible-playbook --ask-sudo-pass Playbooks/htopInstall.yml, then it ask my user password and the play is a success.

如果我重命名authorized_keys，它会告诉我无法通过ssh 连接到主机".没关系.我不明白的是为什么它要求提供 sudo 密码.一路上我肯定错过了一些东西.

If I rename the authorized_keys it tells me I "Failed to connect to the host via ssh." which is ok. What I dont understand is why is it asking for a sudo password. I definetly missed something along the way.

我的 ansible.cfg 文件看起来像这样

my ansible.cfg file looks like this

[defaults]
nocows = 1
inventory = ./Playbooks/hosts
remote_user = test
private_key_file = /home/test/.ssh/id_ubu
host_key_checking = false

我的主机文件看起来像这样

my hosts file looks like this

[servers]
ubu1 ansible_ssh_host=192.168.1.112 ansible_ssh_user=test

推荐答案

我不明白的是为什么它要求提供 sudo 密码.

What I dont understand is why is it asking for a sudo password.

我们不能在没有看到你的剧本的情况下肯定地说，但这几乎可以肯定是因为 a) 你的剧本要求 Ansible 使用 sudo(通过 sudo> 或 become 指令)和 b) test 用户没有启用无密码 sudo.

We can't say for certain without seeing your playbook, but it's almost certainly because a) your playbook asks Ansible to run a particular command with sudo (via the sudo or become directives) and b) the test user does not have password-less sudo enabled.

听起来您知道 (a) 但对 (b) 感到困惑；具体来说，我要指出的是，您不了解 ssh 身份验证 和 sudo 身份验证 之间的区别.同样，如果没有更多信息，我无法确认是否是这种情况，但我会尝试解释一下，以防我猜对了.

It sounds like you are aware of (a) but are confused about (b); specifically, what I'm picking up is that you don't understand the difference between ssh authentication and sudo authentication. Again, without more information I can't confirm if this is the case, but I'll take a stab at explaining it in case I guessed correctly.

当您通过 ssh 连接到机器时，sshd 有两种主要方式来验证您并允许您以特定用户身份登录.第一种方法是询问帐户的密码，该密码是交给系统的，如果密码正确则允许登录.第二种是通过公钥密码术，您可以在其中证明您有权访问对应于 ~/.ssh/authorized_keys 中的公钥指纹的私钥.通过 sshd 的身份验证检查，您将在机器上获得一个 shell.

When you connect to a machine via ssh, there are two primary ways in which sshd authenticates you and allows you to log in as a particular user. The first is to ask for the account's password, which is hands off to the system, and allows a login if it was correct. The second is through public-key cryptography, in which you prove that you have access to a private key that corresponds to a public key fingerprint in ~/.ssh/authorized_keys. Passing sshd's authentication checks gives you a shell on the machine.

当您使用 sudo 调用命令时，您是在要求 sudo 将您的权限提升到超出帐户通常获得的权限.这是一个完全不同的系统，在 /etc/sudoers 中定义了规则(你应该使用 sudo visudo 编辑)控制哪些用户可以使用 sudo，什么命令他们应该能够运行，使用命令时是否需要重新输入密码，以及各种其他配置选项.

When you invoke a command with sudo, you're asking sudo to elevate your privileges beyond what the account normally gets. This is an entirely different system, with rules defined in /etc/sudoers (which you should edit using sudo visudo) that control which users are allowed to use sudo, what commands they should be able to run, whether they need to re-enter their password or not when using the command, and a variety of other configuration options.

当您正常运行 playbook 时，Ansible 会显示 sudo 提示并且不知道如何继续 - 它不知道帐户密码.这就是 --ask-sudo-pass 存在的原因:您将密码提供给 Ansible，以便它可以在出现提示时将其传递给 sudo.如果您不想每次都键入此内容，并且您已决定在您的安全参数范围内允许任何以 test 用户身份登录的人以 root 用户身份执行任何操作，那么您可以咨询man sudoers 关于如何为该帐户设置无密码 sudo.

When you run the playbook normally, Ansible is presented with a sudo prompt and doesn't know how to continue - it doesn't know the account password. That's why --ask-sudo-pass exists: you're giving the password to Ansible so that it can pass it on to sudo when prompted. If you don't want to have to type this every time and you've decided it's within your security parameters to allow anyone logged in as the test user to perform any action as root, then you can consult man sudoers on how to set passwordless sudo for that account.

这篇关于Ansible:“sudo:需要密码\r\n"；的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！