08-19-2018 09:51 PM
Hi …
I have been finish deploy host with duo login auth .
I success access through bastion host from my workstation and get duo login prompt.
Now I deploy ansible to manage all my host .
The problem was come when the host using duo login auth .
Here command I use in ansible host:
Blockquote
ansible -v -m ping zakard-a
Using /etc/ansible/ansible.cfg as config file
zkrd-a | UNREACHABLE! => {
“changed”: false,
“msg”: “ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue”,
“unreachable”: true
}
Blockquote
Aug 20 04:48:11 ip-10-1-130-209 kernel: [3534958.049808] audit: type=1112 audit(1534740491.612:1890): pid=12503 uid=0 auid=4294967295 ses=4294967295 msg=‘op=login acct=“coinone” exe="/usr/sbin/sshd" hostname=? addr=10.1.137.200 terminal=sshd res=failed’
Aug 20 04:48:11 ip-10-1-130-209 kernel: [3534958.051830] audit: type=1109 audit(1534740491.612:1891): pid=12503 uid=0 auid=4294967295 ses=4294967295 msg=‘op=PAM:bad_ident acct="?" exe="/usr/sbin/sshd" hostname=10.1.137.200 addr=10.1.137.200 terminal=ssh res=failed’
any solution for my problem.
Thanks
08-23-2018 12:24 PM
It’s probably having issues with the duo prompt. You probably want to either configure duo_unix not to prompt for the user you’re connecting via ansible as or use SSH Keys. If you’ve configured duo to challenge with SSH keys as well, you’ll have to prevent duo from prompting that user.
09-04-2019 07:25 AM
Same issue here. Duo has been configured to allow all local-network hosts, i.e. there’s no prompt being shown. Still ansible can’t connect to the host.
$ ansible all -m ping
venus.local | UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: Permission denied (keyboard-interactive).”,
“unreachable”: true
}
And in the server logs:
Sep 4 18:09:59 venus sshd[51550]: Connection closed by 172.16.1.11 port 39034 [preauth]
172.16.1.11 is the address of the ansible management host.
I should note that there’s a 1-2 second delay before logging in while Duo checks if the address has been white-listed.
09-05-2019 10:16 AM
I’ve worked around the issue by adding this to ssh_args in ansible.cfg:
-o PreferredAuthentications=publickey,keyboard-interactive
Duo requires keyboard-interactive even if it doesn’t have to prompt the user in case the IP address has been whitelisted. Hope this helps someone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide