堆栈内存溢出
  简体   繁体   English

Ansible 2.3和Cisco IOS SSH密钥认证

[英]Ansible 2.3 and Cisco IOS SSH Key Authentication

 原文  2017-08-16 13:56:03       ios/ ssh/ ansible

问题描述

Ansible Version: 2.3.2.0 Paramiko Version: 2.2.1 Ansible版本:2.3.2.0 Paramiko版本:2.2.1

Trying to get Ansible to work against a Cisco IOS-based switch using SSH RSA Key authentication. 尝试使Ansible使用SSH RSA密钥身份验证来对抗基于Cisco IOS的​​交换机。

Added the private key to the switch: 向交换机添加了私钥: 

ip ssh pubkey-chain
   key-hash ssh-rsa 090A4713055CB0CBE097FFF2FFC8065B root@ansible

Verified SSHv2 and Key: 验证的SSHv2和密钥: 

SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqIKfBqGXuVdv0TbDT6fsPXC+zQ0/aeXBowhrgt4iV
b43PtLxIxZgJaw+Ubc8QJ1pMToK+pABZnub4xbtTR8WoMDh5ruL1XRIDhPxc38DQ5YNfTalyUGL2rlXJ
mZMeRWZ3R0NS6crat/ehC+vTl815yqbyEC7YWIVrRwfnDa2bjAD4ZB+i4E5zqAG1FqduW89h2jZmu7ww
icOnjAg16nOUiI8QJdbsBue6zepcX+uWCTLb4ZBZsCTRfjqt7O/HVEDl9U0K7D4/d6lLijagsozVXYaZ
wQSjlQ6FqXlgplo8rtFAMtH/SHr0ndfejeJmcp2+WRrZnMfMLCmLZNUHumAH

I have the connection: local set: 我有connection: local设置: 

- hosts: ios
  gather_facts: no
  connection: local
  roles:
    - cisco_switch

Here are my vars for provider: 这是我提供程序的变量: 

cli:
  host: "{{ inventory_hostname }}"
  username: root
  authorize: yes
  auth_pass: ansible

Here is the actual task I'm trying to execute: 这是我要执行的实际任务: 

- name: System Settings
  ios_system:
    provider: "{{ cli }}"
    hostname: "{{ inventory_hostname }}"
    domain_name: homelab.lan
    domain_search:
      - homelab.lan
    name_servers:
      - ns1.homelab.lan

Verified I can login using ssh-agent and the key manually using ssh root@c3750e 验证我可以使用ssh-agent登录并使用ssh root@c3750e手动ssh root@c3750e

However, running the playbook fails with the following: 但是,运行剧本失败并显示以下内容: 

2017-08-16 13:51:27,483 p=1524 u=root |    1533 1502891487.48368: starting attempt loop
2017-08-16 13:51:27,483 p=1524 u=root |    1533 1502891487.48382: running the handler
2017-08-16 13:51:27,484 p=1524 u=root |    1533 1502891487.48477: Loading Connection 'persistent' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/persistent.py
2017-08-16 13:51:27,485 p=1524 u=root |    1533 1502891487.48505: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root |    1533 1502891487.48520: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root |    1533 1502891487.48534: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root |    1533 1502891487.48551: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,485 p=1524 u=root |    1533 1502891487.48565: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,486 p=1524 u=root |    1533 1502891487.48620: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True)
2017-08-16 13:51:27,874 p=1534 u=root |    1534 1502891487.87418: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True)
2017-08-16 13:51:27,886 p=1534 u=root |  creating new control socket for host c3750e.homelab.lan:22 as user root
2017-08-16 13:51:27,886 p=1534 u=root |  control socket path is /root/.ansible/pc/b7f0dc1e86
2017-08-16 13:51:27,886 p=1534 u=root |  current working directory is /root/infra_playbook
2017-08-16 13:51:27,887 p=1534 u=root |  using connection plugin network_cli
  1542 1502891487.94495: Loading Connection 'network_cli' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py
2017-08-16 13:51:27,945 p=1534 u=root |    1542 1502891487.94495: Loading Connection 'network_cli' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py
  1542 1502891487.94620: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py
2017-08-16 13:51:27,946 p=1534 u=root |    1542 1502891487.94620: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py
  1542 1502891487.94650: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py
2017-08-16 13:51:27,946 p=1534 u=root |    1542 1502891487.94650: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py
  1542 1502891487.94694: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py
2017-08-16 13:51:27,946 p=1534 u=root |    1542 1502891487.94694: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py
  1542 1502891487.94714: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py
2017-08-16 13:51:27,947 p=1534 u=root |    1542 1502891487.94714: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py
  1542 1502891487.94740: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,947 p=1534 u=root |    1542 1502891487.94740: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False)
2017-08-16 13:51:27,978 paramiko.transport starting thread (client mode): 0x2d7f8d0L
2017-08-16 13:51:27,978 paramiko.transport Local version/idstring: SSH-2.0-paramiko_2.2.1
2017-08-16 13:51:27,980 paramiko.transport Remote version/idstring: SSH-2.0-Cisco-1.25
2017-08-16 13:51:27,980 paramiko.transport Connected (version 2.0, client Cisco-1.25)
2017-08-16 13:51:27,985 paramiko.transport kex algos:[u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1', u'diffie-hellman-group1-sha1'] server key:[u'ssh-rsa'] client encrypt:[u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] server encrypt:[u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] client mac:[u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96'] server mac:[u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96'] client compress:[u'none'] server compress:[u'none'] client lang:[u''] server lang:[u''] kex follows?False
2017-08-16 13:51:27,985 paramiko.transport Kex agreed: diffie-hellman-group-exchange-sha1
2017-08-16 13:51:27,985 paramiko.transport HostKey agreed: ssh-rsa
2017-08-16 13:51:27,985 paramiko.transport Cipher agreed: aes128-cbc
2017-08-16 13:51:27,985 paramiko.transport MAC agreed: hmac-sha1
2017-08-16 13:51:27,985 paramiko.transport Compression agreed: none
2017-08-16 13:51:27,991 paramiko.transport Got server p (2048 bits)
2017-08-16 13:51:29,278 paramiko.transport kex engine KexGex specified hash_algo <built-in function openssl_sha1>
2017-08-16 13:51:29,279 paramiko.transport Switch to new keys ...
2017-08-16 13:51:29,281 paramiko.transport Trying discovered key 090a4713055cb0cbe097fff2ffc8065b in /root/.ssh/id_rsa
2017-08-16 13:51:29,482 paramiko.transport userauth is OK
2017-08-16 13:51:29,489 paramiko.transport Exception: Illegal info request from server
2017-08-16 13:51:29,490 paramiko.transport Traceback (most recent call last):
2017-08-16 13:51:29,490 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1860, in run
2017-08-16 13:51:29,490 paramiko.transport     handler(self.auth_handler, m)
2017-08-16 13:51:29,490 paramiko.transport   File "/usr/lib/python2.7/site-packages/paramiko/auth_handler.py", line 624, in _parse_userauth_info_request
2017-08-16 13:51:29,490 paramiko.transport     raise SSHException('Illegal info request from server')
2017-08-16 13:51:29,490 paramiko.transport SSHException: Illegal info request from server
2017-08-16 13:51:29,490 paramiko.transport 
2017-08-16 13:51:29,497 p=1534 u=root |  connecting to host c3750e.homelab.lan returned an error
2017-08-16 13:51:29,497 p=1534 u=root |  Illegal info request from server
2017-08-16 13:51:57,896 p=1534 u=root |  number of connection attempts exceeded, unable to connect to control socket
2017-08-16 13:51:57,896 p=1534 u=root |  persistent_connect_interval=1, persistent_connect_retries=30
2017-08-16 13:51:57,912 p=1524 u=root |  open_shell() returned 255   1534 1502891487.87418: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True)
 failed to connect to control socket
2017-08-16 13:51:57,912 p=1524 u=root |    1533 1502891517.91286: handler run complete
2017-08-16 13:51:57,913 p=1524 u=root |    1533 1502891517.91303: attempt loop complete, returning result
2017-08-16 13:51:57,913 p=1524 u=root |    1533 1502891517.91316: _execute() done
2017-08-16 13:51:57,913 p=1524 u=root |    1533 1502891517.91328: dumping result to json
2017-08-16 13:51:57,913 p=1524 u=root |    1533 1502891517.91342: done dumping result, returning
2017-08-16 13:51:57,913 p=1524 u=root |    1533 1502891517.91358: done running TaskExecutor() for c3750e.homelab.lan/TASK: cisco_switch : System Settings [c6e4c8ff-dea8-390a-92f3-00000000004d]
2017-08-16 13:51:57,913 p=1524 u=root |    1533 1502891517.91377: sending task result for task c6e4c8ff-dea8-390a-92f3-00000000004d
2017-08-16 13:51:57,914 p=1524 u=root |    1533 1502891517.91418: done sending task result for task c6e4c8ff-dea8-390a-92f3-00000000004d
2017-08-16 13:51:57,914 p=1524 u=root |    1533 1502891517.91430: WORKER PROCESS EXITING
2017-08-16 13:51:57,915 p=1524 u=root |    1524 1502891517.91541: marking c3750e.homelab.lan as failed
2017-08-16 13:51:57,915 p=1524 u=root |    1524 1502891517.91562: marking host c3750e.homelab.lan failed, current state: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_TASKS, fail_state=FAILED_NONE, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
2017-08-16 13:51:57,915 p=1524 u=root |    1524 1502891517.91574: ^ failed state is now: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_COMPLETE, fail_state=FAILED_TASKS, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False
2017-08-16 13:51:57,915 p=1524 u=root |    1524 1502891517.91585: getting the next task for host c3750e.homelab.lan
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91596: host c3750e.homelab.lan is done iterating, returning
2017-08-16 13:51:57,916 p=1524 u=root |  fatal: [c3750e.homelab.lan]: FAILED! => {
    "changed": false, 
    "failed": true, 
    "msg": "unable to open shell. Please see: https://docs.ansible.com/ansible/network_debug_troubleshooting.html#unable-to-open-shell", 
    "rc": 255
}
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91630: no more pending results, returning what we have
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91641: results queue empty
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91651: checking for any_errors_fatal
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91661: done checking for any_errors_fatal
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91670: checking for max_fail_percentage
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91679: done checking for max_fail_percentage
2017-08-16 13:51:57,916 p=1524 u=root |    1524 1502891517.91688: checking to see if all hosts have failed and the running result is not ok
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91697: done checking to see if all hosts have failed
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91706: getting the remaining hosts for this loop
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91717: done getting the remaining hosts for this loop
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91729: building list of next tasks for hosts
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91738: getting the next task for host c3750e.homelab.lan
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91748: host c3750e.homelab.lan is done iterating, returning
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91757: done building task lists
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91766: counting tasks in each state of execution
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91775: done counting tasks in each state of execution:
    num_setups: 0
    num_tasks: 0
    num_rescue: 0
    num_always: 0
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91785: all hosts are done, so returning None's for all hosts
2017-08-16 13:51:57,917 p=1524 u=root |    1524 1502891517.91795: done queuing things up, now waiting for results queue to drain
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91804: results queue empty
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91813: checking for any_errors_fatal
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91822: done checking for any_errors_fatal
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91830: checking for max_fail_percentage
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91839: done checking for max_fail_percentage
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91848: checking to see if all hosts have failed and the running result is not ok
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91857: done checking to see if all hosts have failed
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91869: getting the next task for host c3750e.homelab.lan
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91879: host c3750e.homelab.lan is done iterating, returning
2017-08-16 13:51:57,918 p=1524 u=root |    1524 1502891517.91888: running handlers
2017-08-16 13:51:57,920 p=1524 u=root |     to retry, use: --limit @/root/infra_playbook/site.retry

2017-08-16 13:51:57,920 p=1524 u=root |  PLAY RECAP ***************************************************************************************************************************
2017-08-16 13:51:57,921 p=1524 u=root |  c3750e.homelab.lan         : ok=0    changed=0    unreachable=0    failed=1   
2017-08-16 13:51:57,921 p=1524 u=root |    1524 1502891517.92111: RUNNING CLEANUP

Tried various fixes, including the Network Debug and Troubleshooting guide from Ansible, without any of them working. 尝试了各种修复程序,包括Ansible的《 网络调试和故障排除》指南,但没有任何一种起作用。 Tried changing provider var to transport: ssh and transport: cli without it working. 尝试将提供程序var更改为transport: sshtransport: cli ,但不起作用。

3 个解决方案

解决方案1
 0  2017-08-16 20:31:46

On your IOS config, do you have a username configured under the ip ssh pubkey-chain section? 在您的IOS配置上,您是否在ip ssh pubkey-chain部分下配置了username Also, I'm trying to understand why you need the connection: local . 另外,我试图了解您为什么需要connection: local

解决方案2
 0  2017-08-18 22:17:54

This is how I would do it myself: 这就是我自己要做的:

Adding this to the ansible hosts file inder group [ios] 将此添加到ansible主机文件inder组[ios] 

ansible_python_interpreter=/usr/local/bin/python2.7 # or the path to python
ansible_ssh_pass=[the sudo user or root password]
ansible_connection = local
port=22

On your ansible.cfg: 在您的ansible.cfg上: 

private_key_file = /path/.ssh/known_hosts
host_key_checking = False
host_key_auto_add = True

Simplify your playbook and dependencies: 简化您的剧本和相关性: 

---
- hosts: ios
  gather_facts: no
  connection: local

  tasks:

  - name: obtain login credentials
    include_vars: secrets.yml

  - name: define provider
    set_fact:
      provider:
        host: "{{ inventory_hostname }}"
        username: "{{ creds['username'] }}"
        password: "{{ creds['password'] }}"
        transport: cli

  - include: tasks/main.yml

secrets.yml secrets.yml 

---
creds:
 username: the_username
 password: 'the_password'

tasks/main.yml 任务/ main.yml 

---
- name: DNS System Settings
  ios_config:
    lines:
      - ip domain-name homelab.lan
      - ip name-server ns1.homelab.lan
    provider: "{{ provider }}"

解决方案3
 0  2017-12-07 16:52:17

$ansible --version ansible 2.4.0.0 $ ansible-版本ansible 2.4.0.0

This worked for me: Playbook: 这对我有用:剧本: 

    ---
    - hosts: device.r1
      gather_facts: yes
      connection: local
      ignore_errors: yes

      tasks:
      - name: Load {{ inventory_hostname }} vars file
        include_vars: host_vars/{{ inventory_hostname }}.yml

      - name: obtain login credentials
        include_vars: ../auth/user.yml

      - name: define authentication provider
        set_fact:
          provider:
            host: "{{ inventory_hostname }}"
            username: "{{ creds['username'] }}"
            ssh_keyfile: "{{ creds['ssh_keyfile'] }}"

      - name: Gather Facts
        vyos_facts:
          gather_subset: all
          provider: "{{ creds }}"
        register: vyos_response

      - name: version
        debug: msg="{{ vyos_response.ansible_facts.ansible_net_version }}"

For ../auth/user.yml: 对于../auth/user.yml: 

---
creds:
 username: ansible_user
 ssh_keyfile: /home/ansible_user/.ssh/id_rsa_ansible_user

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ansible - 思科 IOS 和“重新加载”命令 - ansible - cisco IOS and "reload" command 使用SSH公钥的iOS RSA加密 - iOS RSA Encryption using SSH Public Key Firebase 身份验证 - 检索 iOS 的自定义声明密钥 - Firebase Authentication - Retrieve Custom Claims key for iOS SSH键盘交互式身份验证 - SSH Keyboard Interactive authentication CISCO IOS-XR,Python3.7,无法在 Cisco 路由器上运行“ls”和“df”等命令 - CISCO IOS-XR, Python3.7, Not able to run commands like 'ls' and 'df' on Cisco router 适用于iOS和Android的云端解决方案,具有键值存储和用户身份验证 - Cloud solution with key value storage and user authentication for iOS and android 连接到Cisco IM Presence XMPP服务器的IOS XMPPFramework问题 - IOS XMPPFramework issue connecting to Cisco IM Presence XMPP Server 擦除ios设备后,我无法注册到CISCO SCEP服务器 - After wiping the ios device, I cannot enroll to the CISCO SCEP server iOS中的ssh协商过程 - ssh negotiation process in ios ios 的 SSH2 库 - SSH2 library for ios
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM