使用密码的 Ansible 权限升级问题
Ansible Privilege Escalation Issue with Password
TL;DR;
解决这个问题已经一个多星期了,我似乎无法弄明白。我 运行ning ansible 作为 user1 有权成为 root,但是 ansible returns 这个错误:
Timeout (12s) waiting for privilege escalation prompt:。使用 ansible 调试模式 export ANSIBLE_DEBUG=True,我注意到当出现提升权限提示时 ansible 只是挂起。因此,ansible似乎没有提供我一开始给它的密码。
我的设置
我的 ansible.cfg 配置已完全注释。只是默认配置文件。
主机是CentOS7并且有python 2.7
运行 命令 ansible --version:
ansible 2.8.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/user1/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Jun 20 2019, 20:27:34) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
问题
我正在尝试 运行 我的剧本 become,但我无法通过“收集事实”部分。我想成为 root 和 dzdo 来执行我的剧本中的任务。但是,如果您查看调试日志,ansible 似乎挂在成为密码提示上。在下面的 Ansible 调试中查看:>>>[dzdo via ansible, key=KEY_STRING] password:<<<,它在此行停留 10 秒,然后输出它正在等待权限升级提示。但是,提示明明发生了。因此,我决定自己 运行 似乎挂起的命令(您可以在下面的 Ansible 调试部分中自己看到):
ssh -tt host1 '/bin/sh -c '"'"'dzdo -H -S -p "[dzdo via ansible, key=KEY_STRING] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-KEY_STRING ; /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1569872806.13-188766343287198/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
当运行执行此命令时,提示我输入密码,我提供了 root 密码并成功!我收到了一个关于我的主人的事实的巨大 json blob。
示例 ANSIBLE 命令 I 运行 失败 "BECOME" 和 RETURNS 应该作为 ROOT
(注意:我添加 -vvvv 来打印我的调试语句以检查引擎盖下发生了什么,但如果一切正常,我通常不会添加此选项。此外,我知道默认情况下 --become-user 设置为 root。为了清楚起见,我只是添加它。)
ansible host1 -kbK -m command -a "id" --user=user1 --become-user=root --become-method=dzdoansible-playbook -kbK myplaybook.yml --tags="myTag" --user=user1 --become-user=root --become-method=dzdo
知道为什么 ansible 似乎没有 看到 出现的提示,因此提供了我在一开始提供的成为密码吗?此外,仅用于测试,当提示我输入密码时:
SSH password:
BECOME password[defaults to SSH password]:
我测试了 BECOME 密码,只需将其留空(按回车键默认为 SSH 密码),然后我输入了一个错误的密码(只是敲击键盘,如果使用了密码,它就会意识到密码不正确)。
ANSIBLE 调试日志
...everything above seems to be ok, I successfully see:
1. Successful ssh connection to the hosts with the given user1
2. Successful ssh connection to move the ansible file it will run and making the directory
3. Attempting the python interpreter discovery
4. Finding the PLATFORM
5. etc... until I get to the actual escalated privilege line below
<host1> ESTABLISH SSH CONNECTION FOR USER: user1
<host1> SSH: EXEC sshpass -d8 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="user1"' -o ConnectTimeout=10 -o ControlPath=/home/user1/.ansible/cp/89ddddab56 -tt host1 '/bin/sh -c '"'"'dzdo -H -S -p "[dzdo via ansible, key=KEY_STRING] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-KEY_STRING ; /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1569872806.13-188766343287198/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
22694 1569872807.55226: Initial state: awaiting_escalation: BECOME-SUCCESS-KEY_STRING
22694 1569872807.58708: stderr chunk (state=1):
>>>OpenSSH_7.6p1 (CentrifyDC build 5.5.0-193) , OpenSSL 1.0.2n-fips 7 Dec 2017
<<<
22694 1569872807.58831: stderr chunk (state=1):
>>>debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 47: Applying options for *
<<<
22694 1569872807.58942: stderr chunk (state=1):
>>>debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 22660
debug3: mux_client_request_session: session request sent
<<<
22694 1569872807.59199: stderr chunk (state=1):
>>>debug1: mux_client_request_session: master session id: 2
<<<
22694 1569872807.87886: stdout chunk (state=1):
>>>[dzdo via ansible, key=KEY_STRING] password:<<<
22694 1569872819.89077: done running TaskExecutor() for host1/TASK: command [c81f66f6-8106-36fa-2522-0000000000a5]
22694 1569872819.89146: sending task result for task c81f66f6-8106-36fa-2522-0000000000a5
22694 1569872819.89287: done sending task result for task c81f66f6-8106-36fa-2522-0000000000a5
22694 1569872819.89309: WORKER PROCESS EXITING
22686 1569872819.89555: marking host1 as failed
22686 1569872819.89601: marking host host1 failed, current state: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_TASKS, fail_state=FAILED_NONE, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
22686 1569872819.89633: ^ failed state is now: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_COMPLETE, fail_state=FAILED_TASKS, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
22686 1569872819.89658: getting the next task for host host1
22686 1569872819.89680: host host1 is done iterating, returning
host1 | FAILED | rc=-1 >>
Timeout (12s) waiting for privilege escalation prompt:
...然后关闭与 host1 的连接。
您遇到的情况似乎是您的用户在 sudo
时需要输入密码
这可以通过在 ansible.cfg、您的物品栏中或直接在剧本中使用以下配置来解决:
ansible_become_method: 'su'
ansible_become_exe: 'sudo -p "Password: " su -'
这项技术的所有功劳归于 rahim-raddahi:
https://github.com/ansible/ansible/issues/12686#issuecomment-373326739
TL;DR;
解决这个问题已经一个多星期了,我似乎无法弄明白。我 运行ning ansible 作为 user1 有权成为 root,但是 ansible returns 这个错误:
Timeout (12s) waiting for privilege escalation prompt:。使用 ansible 调试模式 export ANSIBLE_DEBUG=True,我注意到当出现提升权限提示时 ansible 只是挂起。因此,ansible似乎没有提供我一开始给它的密码。
我的设置
我的 ansible.cfg 配置已完全注释。只是默认配置文件。
主机是CentOS7并且有python 2.7
运行 命令 ansible --version:
ansible 2.8.2
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/user1/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/site-packages/ansible
executable location = /bin/ansible
python version = 2.7.5 (default, Jun 20 2019, 20:27:34) [GCC 4.8.5 20150623 (Red Hat 4.8.5-36)]
问题
我正在尝试 运行 我的剧本 become,但我无法通过“收集事实”部分。我想成为 root 和 dzdo 来执行我的剧本中的任务。但是,如果您查看调试日志,ansible 似乎挂在成为密码提示上。在下面的 Ansible 调试中查看:>>>[dzdo via ansible, key=KEY_STRING] password:<<<,它在此行停留 10 秒,然后输出它正在等待权限升级提示。但是,提示明明发生了。因此,我决定自己 运行 似乎挂起的命令(您可以在下面的 Ansible 调试部分中自己看到):
ssh -tt host1 '/bin/sh -c '"'"'dzdo -H -S -p "[dzdo via ansible, key=KEY_STRING] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-KEY_STRING ; /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1569872806.13-188766343287198/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
当运行执行此命令时,提示我输入密码,我提供了 root 密码并成功!我收到了一个关于我的主人的事实的巨大 json blob。
示例 ANSIBLE 命令 I 运行 失败 "BECOME" 和 RETURNS 应该作为 ROOT
(注意:我添加 -vvvv 来打印我的调试语句以检查引擎盖下发生了什么,但如果一切正常,我通常不会添加此选项。此外,我知道默认情况下 --become-user 设置为 root。为了清楚起见,我只是添加它。)
ansible host1 -kbK -m command -a "id" --user=user1 --become-user=root --become-method=dzdoansible-playbook -kbK myplaybook.yml --tags="myTag" --user=user1 --become-user=root --become-method=dzdo
知道为什么 ansible 似乎没有 看到 出现的提示,因此提供了我在一开始提供的成为密码吗?此外,仅用于测试,当提示我输入密码时:
SSH password:
BECOME password[defaults to SSH password]:
我测试了 BECOME 密码,只需将其留空(按回车键默认为 SSH 密码),然后我输入了一个错误的密码(只是敲击键盘,如果使用了密码,它就会意识到密码不正确)。
ANSIBLE 调试日志
...everything above seems to be ok, I successfully see:
1. Successful ssh connection to the hosts with the given user1
2. Successful ssh connection to move the ansible file it will run and making the directory
3. Attempting the python interpreter discovery
4. Finding the PLATFORM
5. etc... until I get to the actual escalated privilege line below
<host1> ESTABLISH SSH CONNECTION FOR USER: user1
<host1> SSH: EXEC sshpass -d8 ssh -vvv -C -o ControlMaster=auto -o ControlPersist=60s -o 'User="user1"' -o ConnectTimeout=10 -o ControlPath=/home/user1/.ansible/cp/89ddddab56 -tt host1 '/bin/sh -c '"'"'dzdo -H -S -p "[dzdo via ansible, key=KEY_STRING] password:" -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-KEY_STRING ; /usr/bin/python /home/user1/.ansible/tmp/ansible-tmp-1569872806.13-188766343287198/AnsiballZ_command.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
22694 1569872807.55226: Initial state: awaiting_escalation: BECOME-SUCCESS-KEY_STRING
22694 1569872807.58708: stderr chunk (state=1):
>>>OpenSSH_7.6p1 (CentrifyDC build 5.5.0-193) , OpenSSL 1.0.2n-fips 7 Dec 2017
<<<
22694 1569872807.58831: stderr chunk (state=1):
>>>debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 47: Applying options for *
<<<
22694 1569872807.58942: stderr chunk (state=1):
>>>debug1: auto-mux: Trying existing master
debug2: fd 3 setting O_NONBLOCK
debug2: mux_client_hello_exchange: master version 4
debug3: mux_client_forwards: request forwardings: 0 local, 0 remote
debug3: mux_client_request_session: entering
debug3: mux_client_request_alive: entering
debug3: mux_client_request_alive: done pid = 22660
debug3: mux_client_request_session: session request sent
<<<
22694 1569872807.59199: stderr chunk (state=1):
>>>debug1: mux_client_request_session: master session id: 2
<<<
22694 1569872807.87886: stdout chunk (state=1):
>>>[dzdo via ansible, key=KEY_STRING] password:<<<
22694 1569872819.89077: done running TaskExecutor() for host1/TASK: command [c81f66f6-8106-36fa-2522-0000000000a5]
22694 1569872819.89146: sending task result for task c81f66f6-8106-36fa-2522-0000000000a5
22694 1569872819.89287: done sending task result for task c81f66f6-8106-36fa-2522-0000000000a5
22694 1569872819.89309: WORKER PROCESS EXITING
22686 1569872819.89555: marking host1 as failed
22686 1569872819.89601: marking host host1 failed, current state: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_TASKS, fail_state=FAILED_NONE, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
22686 1569872819.89633: ^ failed state is now: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_COMPLETE, fail_state=FAILED_TASKS, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
22686 1569872819.89658: getting the next task for host host1
22686 1569872819.89680: host host1 is done iterating, returning
host1 | FAILED | rc=-1 >>
Timeout (12s) waiting for privilege escalation prompt:
...然后关闭与 host1 的连接。
您遇到的情况似乎是您的用户在 sudo
这可以通过在 ansible.cfg、您的物品栏中或直接在剧本中使用以下配置来解决:
ansible_become_method: 'su'
ansible_become_exe: 'sudo -p "Password: " su -'
这项技术的所有功劳归于 rahim-raddahi: https://github.com/ansible/ansible/issues/12686#issuecomment-373326739