用Ansible转发SSH代理 [英] SSH Agent Forwarding with Ansible

问题描述

我使用Ansible 1.5.3和Git与ssh代理转发（ https：// help。 github.com/articles/using-ssh-agent-forwarding ）。我可以登录到我使用Ansible管理的服务器，并测试我的连接是否正确配置：

：〜$ ssh -T git@github.com
你好gituser！您已成功通过身份验证，但GitHub不提供shell访问权限。

我也可以使用此帐户克隆和更新我的回购协议中的一个，这样我的git配置看起来很好用当我通过ssh直接登录到我的服务器时，ssh转发。

问题：当我使用Ansible命令模块尝试上面显示的相同测试时。它以权限被拒绝失败。

 失败：[xxx.xxxxx.com] => {changed：true，cmd：[ssh，-T，git@github.com]，delta：0：00：00.585481，end：2014-06 -09 14：11：37.410907，rc：255，start：2014-06-09 14：11：36.825426} 
 stderr：Permission denied（publickey）。 
  

以下是运行此命令的简单操作手册：

   - 主机：web服务器
 sudo：是
 remote_user：ubuntu 
 
任务：
 
  - 名称：测试git ssh连接正在工作。 
命令：ssh -T git@github.com 
  

问题：为什么一切正常正确的时候我手动登录通过SSH并运行命令，但失败时，通过Ansible相同的用户运行相同的用户？

我会很快发布答案，如果没有还有一个人打败了我。尽管我使用git来演示这个问题，但是依赖于ssh代理转发的任何模块都可能会发生这种情况。它不是特定于Ansible，但我怀疑在这种情况下很多人会首先遇到问题。 解决方案

这一行来自剧本：

  sudo：是
  

sudo在远程主机上运行时，登录时由ssh设置的环境变量不再可用。特别是，标识用于与代理通信的UNIX域套接字的路径的SSH_AUTH_SOCK不再可见，所以ssh代理转发不起作用。

避免在不需要时使用sudo是解决问题的一种方法。另一种方法是通过创建一个sudoers文件确保SSH_AUTH_SOCK在sudo会话期间继续存在：

  / etc / sudoers：
 
默认值env_keep + =SSH_AUTH_SOCK
  

I’m using Ansible 1.5.3 and Git with ssh agent forwarding (https://help.github.com/articles/using-ssh-agent-forwarding). I can log into the server that I am managing with Ansible and test that my connection to git is correctly configured:

ubuntu@test:~$ ssh -T git@github.com
Hi gituser! You've successfully authenticated, but GitHub does not provide shell access.

I can also clone and update one of my repos using this account so my git configuration looks good and uses ssh forwarding when I log into my server directly via ssh.

The problem: When I attempt the same test shown above using the Ansible command module. It fails with "Permission denied". Part of the Ansible output (with verbose logging) looks like this:

failed: [xxx.xxxxx.com] => {"changed": true, "cmd": ["ssh", "-T", "git@github.com"], "delta": "0:00:00.585481", "end": "2014-06-09 14:11:37.410907", "rc": 255, "start": "2014-06-09 14:11:36.825426"}
stderr: Permission denied (publickey).

Here is the simple playbook that runs this command:

- hosts: webservers
  sudo: yes
  remote_user: ubuntu

  tasks:

  - name: Test that git ssh connection is working.
    command: ssh -T git@github.com

The question: why does everything work correctly when I manually log in via ssh and run the command but fail when the same command is run as the same user via Ansible?

I will post the answer shortly if no one else beats me to it. Although I am using git to demonstrate the problem, it could occur with any module that depends on ssh agent forwarding. It is not specific to Ansible but I suspect many will first encounter the problem in this scenario.

解决方案

The problem is resolved by removing this line from the playbook:

sudo: yes

When sudo is run on the remote host, the environment variables set by ssh during login are no longer available. In particular, SSH_AUTH_SOCK, which "identifies the path of a UNIX-domain socket used to communicate with the agent" is no longer visible so ssh agent forwarding does not work.

Avoiding sudo when you don't need it is one way to work around the problem. Another way is to ensure that SSH_AUTH_SOCK sticks around during your sudo session by creating a sudoers file:

/etc/sudoers:

     Defaults    env_keep += "SSH_AUTH_SOCK"

这篇关于用Ansible转发SSH代理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！