为 SSH 配置 Yubikey 的 Ansible
Ansible with Yubikey configured for SSH
我有一个 Yubikey 4,里面捆绑了一个 SSH 密钥,如果我只是简单地通过 ssh 连接到配置了这个密钥的服务器,它就可以正常工作。
但是当我尝试 运行 使用此配置时,它给了我这个错误:
fatal: [web01]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_7.9p1, LibreSSL 2.7.3\r\ndebug1: Reading configuration data /Users/rodrigo/.ssh/config\r\ndebug1: /Users/rodrigo/.ssh/config line 3: Applying options for web??\r\ndebug1: /Users/rodrigo/.ssh/config line 6: Applying options for web??\r\ndebug1: /Users/rodrigo/.ssh/config line 18: Applying options for web01\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 48: Applying options for *\r\ndebug2: resolve_canonicalize: hostname [ip-address] is address\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/Users/rodrigo/.ansible/cp/b18e077b1c\" does not exist\r\ndebug1: Executing proxy command: exec ssh -W [ip-address]:22 bastion\r\ndebug3: timeout: 120000 ms remain after connect\r\nControl socket connect(/Users/rodrigo/): Socket operation on non-socket\r\ndebug1: provider /usr/local/lib/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19\r\ndebug1: pkcs11_add_provider: provider /usr/local/lib/opensc-pkcs11.so returned no slots\r\ndebug1: identity file /Users/rodrigo/.ssh/id_rsa type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_dsa type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ecdsa type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ed25519 type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ed25519-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_xmss type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_xmss-cert type -1\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.9\r\nControlSocket /Users/rodrigo/ already exists, disabling multiplexing\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_7.8\r\ndebug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000\r\ndebug2: fd 5 setting O_NONBLOCK\r\ndebug2: fd 4 setting O_NONBLOCK\r\ndebug1: Authenticating to [ip-address]:22 as '[user]'\r\ndebug3: hostkeys_foreach: reading file \"/Users/rodrigo/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type RSA in file /Users/rodrigo/.ssh/known_hosts:8\r\ndebug3: load_hostkeys: loaded 1 keys from [ip-address]\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa\r\ndebug3: send packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug3: receive packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: local client KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c\r\ndebug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519\r\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\r\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\r\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: compression ctos: none,zlib@openssh.com,zlib\r\ndebug2: compression stoc: none,zlib@openssh.com,zlib\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug2: peer server KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1\r\ndebug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa\r\ndebug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr\r\ndebug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr\r\ndebug2: MACs ctos: hmac-sha1\r\ndebug2: MACs stoc: hmac-sha1\r\ndebug2: compression ctos: none,zlib@openssh.com\r\ndebug2: compression stoc: none,zlib@openssh.com\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug1: kex: algorithm: curve25519-sha256\r\ndebug1: kex: host key algorithm: rsa-sha2-512\r\ndebug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none\r\ndebug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none\r\ndebug3: send packet: type 30\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug3: receive packet: type 31\r\ndebug1: Server host key: ssh-rsa SHA256:p7YQr1iPVvMBopxcZjV//cIcH7R1OeenuhiKNOWVVuA\r\ndebug3: hostkeys_foreach: reading file \"/Users/rodrigo/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type RSA in file /Users/rodrigo/.ssh/known_hosts:8\r\ndebug3: load_hostkeys: loaded 1 keys from [ip-address]\r\ndebug1: Host '[ip-address]' is known and matches the RSA host key.\r\ndebug1: Found key in /Users/rodrigo/.ssh/known_hosts:8\r\ndebug3: send packet: type 21\r\ndebug2: set_newkeys: mode 1\r\ndebug1: rekey after 4294967296 blocks\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug3: receive packet: type 21\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug2: set_newkeys: mode 0\r\ndebug1: rekey after 4294967296 blocks\r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_rsa \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_dsa \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_ecdsa \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_ed25519 \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_xmss \r\ndebug2: pubkey_prepare: done\r\ndebug3: send packet: type 5\r\ndebug3: receive packet: type 7\r\ndebug1: SSH2_MSG_EXT_INFO received\r\ndebug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>\r\ndebug3: receive packet: type 6\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug3: send packet: type 50\r\ndebug3: receive packet: type 51\r\ndebug1: Authentications that can continue: publickey\r\ndebug3: start over, passed a different list publickey\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_rsa\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_rsa: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_dsa\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_dsa: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_ecdsa\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_ecdsa: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_ed25519\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_ed25519: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_xmss\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_xmss: No such file or directory\r\ndebug2: we did not send a packet, disable method\r\ndebug1: No more authentication methods to try.\r\n[user]@[ip-address]: Permission denied (publickey).\r\n",
我假设它需要文件系统中存在的 $HOME/.ssh/id_rsa 文件,有没有办法解决这个问题?
问题出在 Ansible 的配置上:
ssh_args = -o IdentitiesOnly=yes
删除后
-o IdentitiesOnly=yes
选项。成功了。
我有一个 Yubikey 4,里面捆绑了一个 SSH 密钥,如果我只是简单地通过 ssh 连接到配置了这个密钥的服务器,它就可以正常工作。
但是当我尝试 运行 使用此配置时,它给了我这个错误:
fatal: [web01]: UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: OpenSSH_7.9p1, LibreSSL 2.7.3\r\ndebug1: Reading configuration data /Users/rodrigo/.ssh/config\r\ndebug1: /Users/rodrigo/.ssh/config line 3: Applying options for web??\r\ndebug1: /Users/rodrigo/.ssh/config line 6: Applying options for web??\r\ndebug1: /Users/rodrigo/.ssh/config line 18: Applying options for web01\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 48: Applying options for *\r\ndebug2: resolve_canonicalize: hostname [ip-address] is address\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/Users/rodrigo/.ansible/cp/b18e077b1c\" does not exist\r\ndebug1: Executing proxy command: exec ssh -W [ip-address]:22 bastion\r\ndebug3: timeout: 120000 ms remain after connect\r\nControl socket connect(/Users/rodrigo/): Socket operation on non-socket\r\ndebug1: provider /usr/local/lib/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19\r\ndebug1: pkcs11_add_provider: provider /usr/local/lib/opensc-pkcs11.so returned no slots\r\ndebug1: identity file /Users/rodrigo/.ssh/id_rsa type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_dsa type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ecdsa type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ed25519 type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_ed25519-cert type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_xmss type -1\r\ndebug1: identity file /Users/rodrigo/.ssh/id_xmss-cert type -1\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.9\r\nControlSocket /Users/rodrigo/ already exists, disabling multiplexing\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_7.8\r\ndebug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000\r\ndebug2: fd 5 setting O_NONBLOCK\r\ndebug2: fd 4 setting O_NONBLOCK\r\ndebug1: Authenticating to [ip-address]:22 as '[user]'\r\ndebug3: hostkeys_foreach: reading file \"/Users/rodrigo/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type RSA in file /Users/rodrigo/.ssh/known_hosts:8\r\ndebug3: load_hostkeys: loaded 1 keys from [ip-address]\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa\r\ndebug3: send packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug3: receive packet: type 20\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: local client KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c\r\ndebug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519\r\ndebug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\r\ndebug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com\r\ndebug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1\r\ndebug2: compression ctos: none,zlib@openssh.com,zlib\r\ndebug2: compression stoc: none,zlib@openssh.com,zlib\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug2: peer server KEXINIT proposal\r\ndebug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1\r\ndebug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa\r\ndebug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr\r\ndebug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr\r\ndebug2: MACs ctos: hmac-sha1\r\ndebug2: MACs stoc: hmac-sha1\r\ndebug2: compression ctos: none,zlib@openssh.com\r\ndebug2: compression stoc: none,zlib@openssh.com\r\ndebug2: languages ctos: \r\ndebug2: languages stoc: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug1: kex: algorithm: curve25519-sha256\r\ndebug1: kex: host key algorithm: rsa-sha2-512\r\ndebug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none\r\ndebug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none\r\ndebug3: send packet: type 30\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug3: receive packet: type 31\r\ndebug1: Server host key: ssh-rsa SHA256:p7YQr1iPVvMBopxcZjV//cIcH7R1OeenuhiKNOWVVuA\r\ndebug3: hostkeys_foreach: reading file \"/Users/rodrigo/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type RSA in file /Users/rodrigo/.ssh/known_hosts:8\r\ndebug3: load_hostkeys: loaded 1 keys from [ip-address]\r\ndebug1: Host '[ip-address]' is known and matches the RSA host key.\r\ndebug1: Found key in /Users/rodrigo/.ssh/known_hosts:8\r\ndebug3: send packet: type 21\r\ndebug2: set_newkeys: mode 1\r\ndebug1: rekey after 4294967296 blocks\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug3: receive packet: type 21\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug2: set_newkeys: mode 0\r\ndebug1: rekey after 4294967296 blocks\r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_rsa \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_dsa \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_ecdsa \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_ed25519 \r\ndebug1: Will attempt key: /Users/rodrigo/.ssh/id_xmss \r\ndebug2: pubkey_prepare: done\r\ndebug3: send packet: type 5\r\ndebug3: receive packet: type 7\r\ndebug1: SSH2_MSG_EXT_INFO received\r\ndebug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>\r\ndebug3: receive packet: type 6\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug3: send packet: type 50\r\ndebug3: receive packet: type 51\r\ndebug1: Authentications that can continue: publickey\r\ndebug3: start over, passed a different list publickey\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_rsa\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_rsa: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_dsa\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_dsa: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_ecdsa\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_ecdsa: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_ed25519\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_ed25519: No such file or directory\r\ndebug1: Trying private key: /Users/rodrigo/.ssh/id_xmss\r\ndebug3: no such identity: /Users/rodrigo/.ssh/id_xmss: No such file or directory\r\ndebug2: we did not send a packet, disable method\r\ndebug1: No more authentication methods to try.\r\n[user]@[ip-address]: Permission denied (publickey).\r\n",
我假设它需要文件系统中存在的 $HOME/.ssh/id_rsa 文件,有没有办法解决这个问题?
问题出在 Ansible 的配置上:
ssh_args = -o IdentitiesOnly=yes
删除后
-o IdentitiesOnly=yes
选项。成功了。