logo标签列表

连接私有主机的SSH Ansible

sshansible
7

公共IP:xxx.xxx.xxx.xxx(此IP可用于直接访问公共VM:webserver-1 ansible_port=50003 ansible_host=xxx.xxx.xxx.xxx ansible_user=ronak ansible_ssh_private_key_file=priv_key

私有IP:10.0.2.4(ssh ronak@10.0.2.4

                                  ssh                          ssh
vagrant host ----> public host (port: 50003) ----> private host (port: 22)
                                   ^                             ^
                                using A's                     using B's
                                ssh priv key                   PASSWORD

主机:

[database]
dbserver-1 ansible_port=22 ansible_host=10.0.2.4 ansible_user=ronak ansible_ssh_pass=password

dbserver.yml:

- hosts: "database"
  remote_user: ronak
  become: yes
  become_user: root
  become_method: sudo
  gather_facts: no
  vars:
    - ansible_ssh_common_args: '-o ProxyCommand="ssh -i ./priv_key -o StrictHostKeyChecking=no -W %h:%p ronak@xx.xx.xx.xx -p 50003"'
  roles:
    - dbserver

错误:

vagrant@vagrant-ubuntu-trusty-64:/var/www/Ansible$ ansible-playbook dbserver.yml -vvv
Using /var/www/Ansible/ansible.cfg as config file

task path: /var/www/Ansible/roles/dbserver/tasks/main.yml:2
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/packaging/os/apt.py
<10.0.2.4> ESTABLISH SSH CONNECTION FOR USER: ronak
<10.0.2.4> SSH: EXEC sshpass -d12 ssh -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o Port=22 -o User=ronak -o ConnectTimeout=10 -o 'ProxyCommand=ssh -i ./priv_key -o StrictHostKeyChecking=no -W %h:%p ronak@xx.xx.xx.xx -p 50003' -o ControlPath=/home/vagrant/.ansible/cp/dbabe40296 10.0.2.4 '/bin/sh -c '"'"'echo ~ && sleep 0'"'"''
<10.0.2.4> (5, '', "Warning: Permanently added '10.0.2.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.\r\n")
<10.0.2.4> ESTABLISH SSH CONNECTION FOR USER: ronak
<10.0.2.4> SSH: EXEC sshpass -d12 ssh -o ControlMaster=auto -o ControlPersist=60s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o Port=22 -o User=ronak -o ConnectTimeout=10 -o 'ProxyCommand=ssh -i ./priv_key -o StrictHostKeyChecking=no -W %h:%p ronak@xx.xx.xx.xx -p 50003' -o ControlPath=/home/vagrant/.ansible/cp/dbabe40296 10.0.2.4 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo ~/.ansible/tmp/ansible-tmp-1495038139.56-230805529478418 `" && echo ansible-tmp-1495038139.56-230805529478418="` echo ~/.ansible/tmp/ansible-tmp-1495038139.56-230805529478418 `" ) && sleep 0'"'"''
<10.0.2.4> (5, '', "Warning: Permanently added '10.0.2.4' (ECDSA) to the list of known hosts.\r\nPermission denied, please try again.\r\n")
fatal: [dbserver-1]: UNREACHABLE! => {
    "changed": false,
    "msg": "Authentication failure.",
    "unreachable": true
}

ansible.cfg

[defaults]
inventory         = ./hosts
ask_sudo_pass     = True
host_key_checking = False

[paramiko_connection]
record_host_keys = False

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o 
UserKnownHostsFile=/dev/null

ANSIBLE_DEBUG

Warning: Permanently added '10.0.2.4' (ECDSA) to the list of known hosts.
<<<

4156 1495119116.27802: stderr chunk (state=3):
>>>debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
<<<

4156 1495119116.27876: stderr chunk (state=3):
>>>debug2: set_newkeys: mode 0
<<<

4156 1495119116.27929: stderr chunk (state=3):
>>>debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
<<<

4156 1495119116.37456: stderr chunk (state=3):
>>>debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/vagrant/.ssh/id_rsa ((nil)),
debug2: key: /home/vagrant/.ssh/id_dsa ((nil)),
debug2: key: /home/vagrant/.ssh/id_ecdsa ((nil)),
debug2: key: /home/vagrant/.ssh/id_ed25519 ((nil)),
<<<

4156 1495119116.40286: stderr chunk (state=3):
>>>debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/vagrant/.ssh/id_rsa
debug3: no such identity: /home/vagrant/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/vagrant/.ssh/id_dsa
debug3: no such identity: /home/vagrant/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/vagrant/.ssh/id_ecdsa
debug3: no such identity: /home/vagrant/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/vagrant/.ssh/id_ed25519
debug3: no such identity: /home/vagrant/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
<<<

4156 1495119116.40710: stderr chunk (state=3):
>>>debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
debug2: we sent a password packet, wait for reply
<<<

4156 1495119118.39890: stderr chunk (state=3):
>>>debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
<<<

10.0.4.2 log /var/log/auth.log

May 18 15:03:16 dev-db-VM0 sshd[51082]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.5  user=ronak
May 18 15:03:18 dev-db-VM0 sshd[51082]: Failed password for ronak from 10.0.1.5 port 49234 ssh2
May 18 15:03:18 dev-db-VM0 sshd[51082]: Failed password for ronak from 10.0.1.5 port 49234 ssh2
May 18 15:03:18 dev-db-VM0 sshd[51082]: Connection closed by 10.0.1.5 port 49234 [preauth]
May 18 15:03:20 dev-db-VM0 sshd[51086]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.5  user=ronak
May 18 15:03:22 dev-db-VM0 sshd[51086]: Failed password for ronak from 10.0.1.5 port 49236 ssh2
May 18 15:03:22 dev-db-VM0 sshd[51086]: Connection closed by 10.0.1.5 port 49236 [preauth]
你的“错误”并不真正表示出错,除非你有特殊的理由认为控制套接字应该在那里。当你运行ansible时实际上会发生什么? - Kenster
从VNET外部执行ssh ronak@xxx.xxx.xxx.xxx -i ./priv_key -p 50003怎么样? - fernandezcuesta
尝试使用-vvv替换ProxyCommand参数中的-q,以便取消隐藏ssh错误。 - fernandezcuesta
“Permission denied” 表示服务器未找到提供的有效身份验证。请仔细检查您是否使用了正确的密钥。尝试使用 ssh ronak@xxx.xxx.xxx.xxx -i ./priv-key -p50003 -F /dev/null -o IdentitiesOnly=yes -vvv 进行连接,以查看该密钥 (./priv-key) 是否有效。 - fernandezcuesta
1
@allo:路径正确。 - RNK
显示剩余14条评论
1个回答
1
查看sshd日志:
May 18 15:03:20 dev-db-VM0 sshd[51086]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.1.5  user=ronak
May 18 15:03:22 dev-db-VM0 sshd[51086]: Failed password for ronak from 10.0.1.5 port 49236 ssh2

我认为问题在于ronak账户的密码不正确。

请确保将其设置正确(将其重新复制并粘贴到配置文件中)。
还要确保没有变量priority冲突。
您可以尝试使用-e ansible_ssh_pass=password参数来执行playbook,以确保密码设置具有最高优先级。

P.S. 我在虚拟机中模拟了您的环境,并且使用类似的设置一切正常。

ansible_ssh_pass 已经在主机文件中定义了。请查看问题。但是,它在 ProxyCommand 中没有被调用。如何在 proxycommand 中使用该密码? - RNK
是的,我看到了hosts文件。您的代理命令不需要密码-它使用privkey文件而不是密码。密码仅用于第二个连接。您可能有其他变量级别,其中定义了其他ansible_ssh_pass,因此我建议尝试使用-e以确保。 - Konstantin Suvorov
谢谢!现在它完美地工作了。所以,那是提供密码的唯一方式。对吗?从命令本身?如果我们使用私钥而不是密码,您能否更新您的答案,这将是非常有帮助的! - RNK
使用关键身份验证,您可以使用-e ansible_ssh_private_key_file=key_file。但这不是推荐的方式。我只是向您展示了如何克服/调试您的身份验证问题。如果通过额外变量(-e)设置密码对您起作用,则应检查您的环境,其中ansible_ssh_pass可能会覆盖您的清单值(可能是角色的变量或其他内容)。 - Konstantin Suvorov
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接