错误的sudo密码

时间:2020-10-09 09:01:21

标签: ssh ansible sudo hashicorp-vault

在ansible运行中,出现以下错误:

PLAY [test hashi vault] ******************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'vault.domain'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
ok: [192.168.1.200]

TASK [show bar] **************************************************************************************************************
/usr/lib/python2.7/site-packages/urllib3/connectionpool.py:988: InsecureRequestWarning: Unverified HTTPS request is being made to host 'vault.domain'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning,
fatal: [192.168.1.200]: FAILED! => {"msg": "Incorrect sudo password"}

PLAY RECAP *******************************************************************************************************************
192.168.1.200                : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

我知道经过调试后该密码是正确的,并且使用curl从Vault提取密码时,可以使用相同的密码。这是我收到错误的新代码:

---
- name: test hashi vault
  hosts: all
  remote_user: ec2-user
  tasks:
  - name: show bar
    systemd:
      state: restarted
      name: sssd.service
    async: 45
    become: yes
    become_method: sudo

这是我正在运行的内容:

ansible-playbook -l 192.168.1.200 test.yml --private-key=/home/rehna/.ssh/testKeyPair.pem --vault-password-file /etc/ansible/ansible.vault -e @credentials

凭据内容:

ansible_user: ec2-user
ansible_become_pass: "{{ lookup('hashi_vault', 'secret=secret/test/ec2_password auth_method=userpass username={{vault_user}} password={{vault_password}}  url={{vault_url}}:{{vault_port}} validate_certs=false') }}"

主机

[ec2]
192.168.1.200
[test_env]
192.168.1.200 remote_user=ec2-user

来自/ var / log / secure:

unix_chkpwd[30174]: password check failed for user (ec2-user)
sudo: pam_unix(sudo:auth): authentication failure; logname=ec2-user  uid=1000 euid=0 tty=/dev/pts/4 ruser=ec2-user rhost=  user=ec2-user
sudo: pam_unix(sudo:auth): conversation failed
sudo: pam_unix(sudo:auth): auth could not identify password for [ec2-user]

应该是这样的:

     sudo: ec2-user : TTY=pts/4 ; PWD=/home/ec2-user ; USER=root ; COMMAND=/bin/passwd --stdin ec2-user
     sudo: pam_unix(sudo:session): session opened for user root by ec2-user(uid=0)
     sudo: pam_unix(sudo:session): session closed for user root

1 个答案:

答案 0 :(得分:0)

返回的数据格式为dict键/值对。 您需要从查找提供的返回数据中提取内容:

ec2_pass: "{{ lookup('hashi_vault', 'secret=secret/test/ec2_password auth_method=userpass username={{vault_user}} password={{vault_password}}  url={{vault_url}}:{{vault_port}} validate_certs=false') }}"

ansible_become_pass: "{{ec2_pass.value}}"
相关问题
最新问题