SSH Authentication errors with Foreman's Ansible plugin

Hello community, I have a problem getting the Ansible plugin to work from the Foreman GUI.

The system is CentOS Linux release 7.4.1708 (Core).
I installed Foreman 1.17 by using the foreman-installer. The installation options were all related to Ansible and to the Remote Execution Plugin. I will provide the full foreman-installer command if needed.
Puppet version is 5.5.1.

Here is how I configured everything in the Foreman GUI:

foreman_ansible1.PNG1899×785 98.4 KB

The “About” page in the Foreman GUI says that all the plugins have been installed: TFTP, Puppet, Puppet CA, Logs, Dynflow, Ansible, SSH.

Whenever I try to do a “Schedule Remote Job” from the Foreman GUI and try to execute a command (example: whoami) on some of my hosts the Job Task says the following error:

Error initializing command: Net::SSH::AuthenticationFailed - Authentication failed for user root@myhost.mydomain.

I added the following 3 lines to /etc/environment and /etc/sysconfig/foreman:

• FOREMAN_URL=https://foreman-ansible.mydomain.pem
• FOREMAN_SSL_CERT=/etc/puppetlabs/puppet/ssl/certs/foreman-ansible.mydomain.pem
• FOREMAN_SSL_KEY=/etc/puppetlabs/puppet/ssl/private_keys/foreman-ansible.mydomain.pem

The /etc/ansible/ansible.cfg, /etc/foreman-proxy/ansible.cfg and /usr/share/foreman-proxy/.ansible.cfg all look the same:

[defaults]
callback_whitelist = foreman
local_tmp = /tmp
host_key_checking = False

[callback_foreman]
url = https://foreman-ansible.mydomain
ssl_cert = /etc/puppetlabs/puppet/ssl/certs/foreman-ansible.mydomain.pem
ssl_key = /etc/puppetlabs/puppet/ssl/private_keys/foreman-ansible.mydomain.pem
verify_certs = /etc/puppetlabs/puppet/ssl/certs/ca.pem

For the SSH keys I did the following:

root# ssh-keygen (Generated an id_rsa and id_rsa.pub key pairs without a passphrase)
root# cd /root/.ssh/
root# chmod 600 id_rsa*
root# cp id_rsa ~foreman-proxy/.ssh/id_rsa_foreman_proxy
root# cp id_rsa.pub ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub
root# cd ~foreman-proxy/.ssh/
root# chown foreman-proxy:foreman-proxy id_rsa_foreman_proxy*
root# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub root@host1.mydomain
root# ssh-copy-id -i ~foreman-proxy/.ssh/id_rsa_foreman_proxy.pub root@host2.mydomain

I am able to login without a password from the foreman-ansible server to the target hosts (host1 and host2) from the command line (ssh root@host1.mydomain and ssh root@host2.mydomain). I am also able to run ansible from the command line as I added my hosts to /etc/ansible/hosts and /etc/foreman-proxy/hosts (ansible host1.mydomain -m command -a “uname -a”).

However, when I try to do it from the Foreman GUI it fails. with the error mentioned above.

Any suggestions on what I can do?

Hello,
if I recall correctly foreman_ansible older than 2.1.2 uses ~foreman-proxy/id_rsa as the private key instead of ~foreman-proxy/id_rsa_foreman_proxy. I think it can be configured somehow, but I’m not sure how or where, @dLobatog would know. The quick and dirty solution would be just to copy or symlink the files to have the same key in both places.

I think you’re right. The screenshot doesn’t show the setting “Private Key Path” which was a bug we had in previous versions of Foreman Ansible.

@Ji1990 You can do what @aruzicka mentioned, try putting the key in there. However I would recommend updating to the most recent version so the key is correct, plus you will get some other important bugfixes. It should be a matter of ‘yum update tfm-rubygem-foreman_ansible’ and restarting the server

As you can see here, you should be able to choose the location of the SSH key (defaults to what you put on your original post):

Screenshot from 2018-06-07 16-06-56.png1684×773 98.2 KB

Aside from that, I think you are missing FOREMAN_SSL_VERIFY in the callback configuration. You can set the path to the CA (/etc/puppetlabs/puppet/ssl/certs/ca.pem I think) or disable it (False). One of the two is necessary unless your puppet CA is included in the system CA bundle which I doubt.

Let us know if this helped.

Hello, thank you both for the awesome feedback

I added the FOREMAN_SSL_VERIFY=True line as described. I will try to play with the key file names as well.

The version of Ansible I have installed is:

ansible-2.5.3-1.el7.noarch

The version of the Ansible Plugin I have installed is:

tfm-rubygem-foreman_ansible_core-2.0.2-1.fm1_17.el7.noarch
tfm-rubygem-foreman_ansible-2.0.1-1.fm1_17.el7.noarch

I am not sure how you have so many available settings in the Ansible tab of the GUI.
The repository it is using is http://yum.theforeman.org/plugins/1.17/el7/x86_64/. I am not sure where I can find a newer version of the plugin. yum install/update doesn’t let me update the packages as these are the latest ones available in the repository.

The API result:

{
“id”: “foreman_ansible”,
“name”: “foreman_ansible”,
“author”: “Daniel Lobato Garcia”,
“description”: “Ansible integration with Foreman”,
“url”: “https://github.com/theforeman/foreman_ansible”,
“version”: “2.0.1”
},

@Ji1990 Oh - I realized now.

was not merged to 1.17. I only see it on nightly.

About changing the SSH key path, can you try to add a parameter to your host (or a global parameter, or a host group parameter) in Foreman: ‘ansible_ssh_private_key_file’ : ‘/usr/share/foreman-proxy/.ssh/id_rsa_foreman_proxy’ ?

I am testing this on nightly now and everything works fine out of the box, except for a thing I’m debugging (/usr/share/foreman-ansible/ansible.cfg is ignored and only /etc/ansible/ansible.cfg is used) but hopefully with the host parameter you can get by until 1.18 comes out?

@packaging is there any reason why that could not be merged to 1.17? Maybe it’s because it contains the webpacked assets.

Correct, in 1.17 we couldn’t deal with webpack in plugins. 1.18 should contain all the fixes needed.

Thank you all for your help. I will do some tests and wait for v1.18.

You guys are amazing, keep up the great work