I just recently installed foreman and have also added ansible to it. I am trying to get ansible to run some basic stuff but for some reason does not want to run. I always get
msg: ‘Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).’
doing research, I have made sure to copy the ssh keys from the foreman server to the host I want to run ansible against. I have tried a different user other than root. I followed instructions to check on the permissions of .ansible from this post Running playbook role in Foreman 1.15.6 / ansible pluging 1.4.5 / ansible 2.4.1 return an error which mine was a bit different as it was under foreman-proxy folder, not foreman folder. I tried to change the permissions but it is not taking the command. I also turned on logging for ansible. After logging is on, I can run ansible -m ping pdm-wiki -vvv from the foreman server and it works fine against the other server and it will log to the ansible log. When i press run in the foreman gui for a change of the ntp server within geerlingguy.ntp I get the error above and it does not log anything to ansible.log at all.
Hi @bughatti,
I think the Ansible plugin needs the ssh keys to be in ~foreman-proxy/.ssh/, not ~foreman/.ssh/ . I think that’s required for other remote execution stuff to work too. Also check that they’re readable by the foreman-proxy user.
(I’m not a dev, but that’s how I’ve got it set up.)
Maybe I am missing something completely different here. So I have foreman setup and working, I have been able to push NTP updates via puppet. With ansible installed, I am able to go to my host, select edit > Ansible Roles and add geerlingguy.ntp to the host. The only variable I am using from that module is to set ntp servers.
I go back to host, select run ansible roles and it fails with the above error. I am using root as the Ansible Roles - Ansible Default effective user
If I go back to cli on my foreman host logged in as root, I can effectively ssh root@othermanagedhost and connect fine.
… but it’s the foreman-proxy user on your Foreman server and the id_rsa_foreman_proxy.pub user (=root in your case) on othermanagedhost that are in play when Foreman tries to run Ansible.
As root on your foreman host, does ssh -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy root@othermanagedhost work?
If you su to foreman-proxy, can you ssh to root@othermanagedhost?
(foreman-proxy might not have a valid shell in /etc/passwd, so you might have to usermod -s it (or whatever your local systems require) for a few minutes during testing.
The shell for foreman-proxy is probably (correctly) set to /bin/false in /etc/passwd. That’s intentional for security reasons, but it means you can’t just su over to the account.
so I am new to some of this stuff, basics I can usually accomplish but getting in depth I have to dig around. All i did to copy the keys was from the foreman terminal I did ssh-copy-id root@pdm-wiki
something i stated earlier before doing the ln commands, the contents of ~/.ssh and ~foreman-proxy/.ssh had been different, maybe doing the ln changed something, but even after the ln commands, I still went back and ran ssh-copy-id and it still does not work. I can redo keys if that is necessary, will just need to lookup what commands to run
I think you probably just have to repeat your ssh-copy-id command, but add -i ~foreman-proxy/.ssh/id_rsa, so it sends the foreman-proxy key, not the key for the user that you’re running as on the foreman server.
But it’s important that you understand what you’re doing, because messing with auth can get you into trouble. “Any advice given is for novelty value only. If in doubt, consult a doctor.”
(sorry - I have to go now, but I’ll check back later tonight or tomorrow)
The ln -s commands I suggested in reply 4 don’t seem to be required. I may have had them on my system for debugging purposes. Ansible plugin v3.0.2 runs without them.
The ssh_config file from reply 7 is convenient if your users frequently rebuild hosts in your environment (e.g. dev, test), resulting in changed host keys, but you don’t want to have to clean out ~foreman-proxy/.ssh/known_hosts manually. Otherwise, you probably shouldn’t have it - it removes security checks from ssh.