Ansible 2.3和Cisco IOS SSH密钥验证

Question

Ansible版本：2.3.2.0 的paramiko版本：2.2.1

试图让Ansible反对使用SSH RSA密钥验证的基于IOS的思科交换机的工作。

新增私钥开关：

ip ssh pubkey-chain 
    key-hash ssh-rsa 090A4713055CB0CBE097FFF2FFC8065B root@ansible 

验证SSHv2协议和密钥：

SSH Enabled - version 2.0 
Authentication timeout: 120 secs; Authentication retries: 3 
Minimum expected Diffie Hellman key size : 1024 bits 
IOS Keys in SECSH format(ssh-rsa, base64 encoded): 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqIKfBqGXuVdv0TbDT6fsPXC+zQ0/aeXBowhrgt4iV 
b43PtLxIxZgJaw+Ubc8QJ1pMToK+pABZnub4xbtTR8WoMDh5ruL1XRIDhPxc38DQ5YNfTalyUGL2rlXJ 
mZMeRWZ3R0NS6crat/ehC+vTl815yqbyEC7YWIVrRwfnDa2bjAD4ZB+i4E5zqAG1FqduW89h2jZmu7ww 
icOnjAg16nOUiI8QJdbsBue6zepcX+uWCTLb4ZBZsCTRfjqt7O/HVEDl9U0K7D4/d6lLijagsozVXYaZ 
wQSjlQ6FqXlgplo8rtFAMtH/SHr0ndfejeJmcp2+WRrZnMfMLCmLZNUHumAH  

我有connection: local集：

- hosts: ios 
    gather_facts: no 
    connection: local 
    roles: 
    - cisco_switch 

这里是我的供应商瓦尔：

cli: 
    host: "{{ inventory_hostname }}" 
    username: root 
    authorize: yes 
    auth_pass: ansible 

这里是我试图执行实际任务：

- name: System Settings 
    ios_system: 
    provider: "{{ cli }}" 
    hostname: "{{ inventory_hostname }}" 
    domain_name: homelab.lan 
    domain_search: 
     - homelab.lan 
    name_servers: 
     - ns1.homelab.lan 

验证我可以使用ssh-agent登录并使用ssh root@c3750e

手动然而，关键的，运行剧本失败，出现以下：

2017-08-16 13:51:27,483 p=1524 u=root | 1533 1502891487.48368: starting attempt loop 
2017-08-16 13:51:27,483 p=1524 u=root | 1533 1502891487.48382: running the handler 
2017-08-16 13:51:27,484 p=1524 u=root | 1533 1502891487.48477: Loading Connection 'persistent' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/persistent.py 
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48505: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48520: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48534: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48551: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,485 p=1524 u=root | 1533 1502891487.48565: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,486 p=1524 u=root | 1533 1502891487.48620: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True) 
2017-08-16 13:51:27,874 p=1534 u=root | 1534 1502891487.87418: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True) 
2017-08-16 13:51:27,886 p=1534 u=root | creating new control socket for host c3750e.homelab.lan:22 as user root 
2017-08-16 13:51:27,886 p=1534 u=root | control socket path is /root/.ansible/pc/b7f0dc1e86 
2017-08-16 13:51:27,886 p=1534 u=root | current working directory is /root/infra_playbook 
2017-08-16 13:51:27,887 p=1534 u=root | using connection plugin network_cli 
    1542 1502891487.94495: Loading Connection 'network_cli' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py 
2017-08-16 13:51:27,945 p=1534 u=root | 1542 1502891487.94495: Loading Connection 'network_cli' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py 
    1542 1502891487.94620: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py 
2017-08-16 13:51:27,946 p=1534 u=root | 1542 1502891487.94620: Loading ShellModule 'csh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/csh.py 
    1542 1502891487.94650: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py 
2017-08-16 13:51:27,946 p=1534 u=root | 1542 1502891487.94650: Loading ShellModule 'fish' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/fish.py 
    1542 1502891487.94694: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py 
2017-08-16 13:51:27,946 p=1534 u=root | 1542 1502891487.94694: Loading ShellModule 'powershell' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/powershell.py 
    1542 1502891487.94714: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py 
2017-08-16 13:51:27,947 p=1534 u=root | 1542 1502891487.94714: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py 
    1542 1502891487.94740: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,947 p=1534 u=root | 1542 1502891487.94740: Loading ShellModule 'sh' from /usr/lib/python2.7/site-packages/ansible/plugins/shell/sh.py (found_in_cache=True, class_only=False) 
2017-08-16 13:51:27,978 paramiko.transport starting thread (client mode): 0x2d7f8d0L 
2017-08-16 13:51:27,978 paramiko.transport Local version/idstring: SSH-2.0-paramiko_2.2.1 
2017-08-16 13:51:27,980 paramiko.transport Remote version/idstring: SSH-2.0-Cisco-1.25 
2017-08-16 13:51:27,980 paramiko.transport Connected (version 2.0, client Cisco-1.25) 
2017-08-16 13:51:27,985 paramiko.transport kex algos:[u'diffie-hellman-group-exchange-sha1', u'diffie-hellman-group14-sha1', u'diffie-hellman-group1-sha1'] server key:[u'ssh-rsa'] client encrypt:[u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] server encrypt:[u'aes128-cbc', u'3des-cbc', u'aes192-cbc', u'aes256-cbc'] client mac:[u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96'] server mac:[u'hmac-sha1', u'hmac-sha1-96', u'hmac-md5', u'hmac-md5-96'] client compress:[u'none'] server compress:[u'none'] client lang:[u''] server lang:[u''] kex follows?False 
2017-08-16 13:51:27,985 paramiko.transport Kex agreed: diffie-hellman-group-exchange-sha1 
2017-08-16 13:51:27,985 paramiko.transport HostKey agreed: ssh-rsa 
2017-08-16 13:51:27,985 paramiko.transport Cipher agreed: aes128-cbc 
2017-08-16 13:51:27,985 paramiko.transport MAC agreed: hmac-sha1 
2017-08-16 13:51:27,985 paramiko.transport Compression agreed: none 
2017-08-16 13:51:27,991 paramiko.transport Got server p (2048 bits) 
2017-08-16 13:51:29,278 paramiko.transport kex engine KexGex specified hash_algo <built-in function openssl_sha1> 
2017-08-16 13:51:29,279 paramiko.transport Switch to new keys ... 
2017-08-16 13:51:29,281 paramiko.transport Trying discovered key 090a4713055cb0cbe097fff2ffc8065b in /root/.ssh/id_rsa 
2017-08-16 13:51:29,482 paramiko.transport userauth is OK 
2017-08-16 13:51:29,489 paramiko.transport Exception: Illegal info request from server 
2017-08-16 13:51:29,490 paramiko.transport Traceback (most recent call last): 
2017-08-16 13:51:29,490 paramiko.transport File "/usr/lib/python2.7/site-packages/paramiko/transport.py", line 1860, in run 
2017-08-16 13:51:29,490 paramiko.transport  handler(self.auth_handler, m) 
2017-08-16 13:51:29,490 paramiko.transport File "/usr/lib/python2.7/site-packages/paramiko/auth_handler.py", line 624, in _parse_userauth_info_request 
2017-08-16 13:51:29,490 paramiko.transport  raise SSHException('Illegal info request from server') 
2017-08-16 13:51:29,490 paramiko.transport SSHException: Illegal info request from server 
2017-08-16 13:51:29,490 paramiko.transport 
2017-08-16 13:51:29,497 p=1534 u=root | connecting to host c3750e.homelab.lan returned an error 
2017-08-16 13:51:29,497 p=1534 u=root | Illegal info request from server 
2017-08-16 13:51:57,896 p=1534 u=root | number of connection attempts exceeded, unable to connect to control socket 
2017-08-16 13:51:57,896 p=1534 u=root | persistent_connect_interval=1, persistent_connect_retries=30 
2017-08-16 13:51:57,912 p=1524 u=root | open_shell() returned 255 1534 1502891487.87418: Loading Connection 'ssh' from /usr/lib/python2.7/site-packages/ansible/plugins/connection/ssh.py (found_in_cache=False, class_only=True) 
failed to connect to control socket 
2017-08-16 13:51:57,912 p=1524 u=root | 1533 1502891517.91286: handler run complete 
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91303: attempt loop complete, returning result 
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91316: _execute() done 
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91328: dumping result to json 
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91342: done dumping result, returning 
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91358: done running TaskExecutor() for c3750e.homelab.lan/TASK: cisco_switch : System Settings [c6e4c8ff-dea8-390a-92f3-00000000004d] 
2017-08-16 13:51:57,913 p=1524 u=root | 1533 1502891517.91377: sending task result for task c6e4c8ff-dea8-390a-92f3-00000000004d 
2017-08-16 13:51:57,914 p=1524 u=root | 1533 1502891517.91418: done sending task result for task c6e4c8ff-dea8-390a-92f3-00000000004d 
2017-08-16 13:51:57,914 p=1524 u=root | 1533 1502891517.91430: WORKER PROCESS EXITING 
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91541: marking c3750e.homelab.lan as failed 
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91562: marking host c3750e.homelab.lan failed, current state: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_TASKS, fail_state=FAILED_NONE, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False 
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91574:^failed state is now: HOST STATE: block=2, task=1, rescue=0, always=0, run_state=ITERATING_COMPLETE, fail_state=FAILED_TASKS, pending_setup=False, tasks child state? (None), rescue child state? (None), always child state? (None), did rescue? False, did start at task? False 
2017-08-16 13:51:57,915 p=1524 u=root | 1524 1502891517.91585: getting the next task for host c3750e.homelab.lan 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91596: host c3750e.homelab.lan is done iterating, returning 
2017-08-16 13:51:57,916 p=1524 u=root | fatal: [c3750e.homelab.lan]: FAILED! => { 
    "changed": false, 
    "failed": true, 
    "msg": "unable to open shell. Please see: https://docs.ansible.com/ansible/network_debug_troubleshooting.html#unable-to-open-shell", 
    "rc": 255 
} 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91630: no more pending results, returning what we have 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91641: results queue empty 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91651: checking for any_errors_fatal 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91661: done checking for any_errors_fatal 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91670: checking for max_fail_percentage 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91679: done checking for max_fail_percentage 
2017-08-16 13:51:57,916 p=1524 u=root | 1524 1502891517.91688: checking to see if all hosts have failed and the running result is not ok 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91697: done checking to see if all hosts have failed 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91706: getting the remaining hosts for this loop 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91717: done getting the remaining hosts for this loop 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91729: building list of next tasks for hosts 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91738: getting the next task for host c3750e.homelab.lan 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91748: host c3750e.homelab.lan is done iterating, returning 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91757: done building task lists 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91766: counting tasks in each state of execution 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91775: done counting tasks in each state of execution: 
    num_setups: 0 
    num_tasks: 0 
    num_rescue: 0 
    num_always: 0 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91785: all hosts are done, so returning None's for all hosts 
2017-08-16 13:51:57,917 p=1524 u=root | 1524 1502891517.91795: done queuing things up, now waiting for results queue to drain 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91804: results queue empty 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91813: checking for any_errors_fatal 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91822: done checking for any_errors_fatal 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91830: checking for max_fail_percentage 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91839: done checking for max_fail_percentage 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91848: checking to see if all hosts have failed and the running result is not ok 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91857: done checking to see if all hosts have failed 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91869: getting the next task for host c3750e.homelab.lan 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91879: host c3750e.homelab.lan is done iterating, returning 
2017-08-16 13:51:57,918 p=1524 u=root | 1524 1502891517.91888: running handlers 
2017-08-16 13:51:57,920 p=1524 u=root |  to retry, use: --limit @/root/infra_playbook/site.retry 

2017-08-16 13:51:57,920 p=1524 u=root | PLAY RECAP *************************************************************************************************************************** 
2017-08-16 13:51:57,921 p=1524 u=root | c3750e.homelab.lan   : ok=0 changed=0 unreachable=0 failed=1 
2017-08-16 13:51:57,921 p=1524 u=root | 1524 1502891517.92111: RUNNING CLEANUP 

尝试了各种修复程序，其中包括Ansible的Network Debug and Troubleshooting指南，但没有任何一个工作正常。试图改变提供商VAR到transport: ssh和transport: cli没有它的工作。

Answer 1

在您的IOS Config中，你有没有下ip ssh pubkey-chain部分配置username？另外，我也想了解为什么需要connection: local。

Answer 2

这是我会怎么做自己：

添加此到ansible hosts文件因德尔组[IOS]

ansible_python_interpreter=/usr/local/bin/python2.7 # or the path to python 
ansible_ssh_pass=[the sudo user or root password] 
ansible_connection = local 
port=22 

在您ansible.cfg：

private_key_file = /path/.ssh/known_hosts 
host_key_checking = False 
host_key_auto_add = True 

简化你的剧本和依赖：

--- 
- hosts: ios 
    gather_facts: no 
    connection: local 

    tasks: 

    - name: obtain login credentials 
    include_vars: secrets.yml 

    - name: define provider 
    set_fact: 
     provider: 
     host: "{{ inventory_hostname }}" 
     username: "{{ creds['username'] }}" 
     password: "{{ creds['password'] }}" 
     transport: cli 

    - include: tasks/main.yml 

个

secrets.yml

--- 
creds: 
username: the_username 
password: 'the_password' 

任务/ main.yml

--- 
- name: DNS System Settings 
    ios_config: 
    lines: 
     - ip domain-name homelab.lan 
     - ip name-server ns1.homelab.lan 
    provider: "{{ provider }}" 

Answer 3

$ ansible --version ansible 2.4.0.0

这为我工作： 剧本：

--- 
    - hosts: device.r1 
     gather_facts: yes 
     connection: local 
     ignore_errors: yes 

     tasks: 
     - name: Load {{ inventory_hostname }} vars file 
     include_vars: host_vars/{{ inventory_hostname }}.yml 

     - name: obtain login credentials 
     include_vars: ../auth/user.yml 

     - name: define authentication provider 
     set_fact: 
      provider: 
      host: "{{ inventory_hostname }}" 
      username: "{{ creds['username'] }}" 
      ssh_keyfile: "{{ creds['ssh_keyfile'] }}" 

     - name: Gather Facts 
     vyos_facts: 
      gather_subset: all 
      provider: "{{ creds }}" 
     register: vyos_response 

     - name: version 
     debug: msg="{{ vyos_response.ansible_facts.ansible_net_version }}" 

对于../auth/user。YML：

--- 
creds: 
username: ansible_user 
ssh_keyfile: /home/ansible_user/.ssh/id_rsa_ansible_user