Geek Answers Handbook

You may need to request passwords automatically and only if necessary.

So ansible-playbook has --ask-pass and --ask-sudo-pass . Is there a way to get the opportunity to try ssh without a password first, and then only enter the password for the password if logging in without a password fails? Similarly, is it possible to try sudo without a password and then only ask if this does not work?

FYI I have a little shell function to try and figure it out by trial and error, but I hope that something like this is baked into the indispensable.

 get_ansible_auth_args() { local base_check="ansible all --one-line --inventory-file=deploy/hosts/localhost.yml --args=/bin/true --sudo" ${base_check} if [[ $? -eq 0 ]]; then return; fi local args="--ask-pass" ${base_check} ${args} if [[ $? -eq 0 ]]; then export ANSIBLE_AUTH_ARGS="${args}" return; fi local args="--ask-pass --ask-sudo-pass" ${base_check} ${args} if [[ $? -eq 0 ]]; then export ANSIBLE_AUTH_ARGS="${args}" return; fi }
+6
source share
1 answer

If you set ask_pass and ssh_args as shown below, then ansible should ask you for the password at the beginning once and use this password whenever auth with the public key does not work.

 [defaults] ask_pass = True [ssh_connection] ssh_args = -o PubkeyAuthentication=yes -o PasswordAuthentication=yes -o ControlMaster=auto -o ControlPersist=60s

This is still not a complete solution: Catch being (AFAIK) ansible uses sshpass , so the password that it collected from you at the beginning will be the only password it will use and it will not work if you have different passwords for different machines . :-)

The only other hack I can think of is to replace /usr/bin/ssh (or depending on your opensh ssh used by the user) with a script that will clothe the logic of reading the password from some flat file, if necessary, I a suspicious user may hide tty so that your script cannot read the password from stdin.

+1
source

More articles:


All Articles