Ansible SSH authentication with password and private key

1
votes

For security reasons and compliance, we're required to set up 2FA on our hosts. We implement it by forcing authentication with passwords AND a public key with the AuthenticationMethods setting in sshd_config. The private key is required to have a password as well.

So in order to run playbooks on these hosts, we need to be able to enter the login password and the password of the private key. I've used the -k flag together with the ansible_ssh_private_key_file option in the hosts file (or with the --private-key flag). It asks for the SSH login password but then it just hangs and never asks me for the private key passphrase. When I set the -vvvv flat I see that the key is passed correctly, but the SSH login password isn't passed with the command:

<10.1.2.2> SSH: EXEC sshpass -d10 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o Port=22022 -o 'IdentityFile="/home/me/.ssh/id_ed25519"' -o 'User="me"' -o ConnectTimeout=10 -o ControlPath=/home/me/.ansible/cp/db574551ae 10.1.2.2 '/bin/sh -c '"'"'echo ~me && sleep 0'"'"''

How can I make Ansible work with both passwords and public keys?

1
sshansible
When you encrypt your private key, you have already 2FA: you own (1) the key and you know (2) the password.ceving
@ceving True, but for PCI DSS compliancy we're supposed to use bothEarthMind
It sounds like you need to run ansible-playbook under the ssh-agent, at which time you will add your private key to the agent (providing the key password at that time) and then sshpass should(?) behave as expected since there will not be a prompt for the private key passwordmdaniel

1 Answers

1
votes

As stated in the Ansible Documentation:

Ansible does not expose a channel to allow communication between the user and the ssh process to accept a password manually to decrypt an ssh key when using the ssh connection plugin (which is the default). The use of ssh-agent is highly recommended.

This is why you don't get prompted to type in your private key password. As said in the comments, setup a ssh agent, when you'll be prompted for it:

$ ssh-agent bash
$ ssh-add ~/.ssh/id_rsa

Then, after playbook execution, clear out identities so to be asked for passwords the next time:

# Deletes all identities from the agent:
ssh-add -D
# or, instead of adding identities, removes identities (selectively) from the agent:
ssh-add -d <file>

You may pack key addition, playbook execution and cleaning into one wrapper shell script.