[ansible-project] Getting "Permission denied (publickey)." when trying to clone Private Github repository, Public repo works

Discussion:

Paul Hardwick

2015-01-16 22:47:28 UTC

Permalink

Hello Ansiblers,

I am trying use ansible to bring in a Private GITHUB repository and am
having issues and getting "Permission denied (publickey)." I've done some
digging and checked the ideas I came across on the mailing list so far, but
none of them have worked.

- I've opened up the ports in the outbound firewall
- If I do a public repo it works fine, so its not an issue reaching GITHUB
in general just the Private repositories.
- If I try to clone the Private repository manually on the destination
server it works correctly
- GitHub ssh-key access test ( ssh -T ***@github.com ) works on box
directly but fails under Ansible in a playbook using command.

So it would seem like the SSH key info isn't being passed along. BTW I've
tried the github ssh-key test both with and without SUDO auth. And it fails
either way. The SSH-key is the same for my SSH login and github.

I have included the log of the original failure and the github test for
recognition of the users SSH-Key

Any clues of things I can check or what I might be doing wrong would be
appreciated.

Thanks,
Paul

================ Start - from playbook output that fails ===

dest=/usr/local/GitUserName/ansible-examples-ta4 version=HEAD
accept_hostkey=yes] ***
<111.222.333.444> REMOTE_MODULE git
dest=/usr/local/GitUserName/ansible-examples-ta4 version=HEAD
accept_hostkey=yes
failed: [bbb-sandbox-a-pub] => {"cmd": "/usr/bin/git ls-remote
true, "rc": 128}
stderr: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
msg: Permission denied (publickey).
fatal: The remote end hung up unexpectedly
FATAL: all hosts have already failed -- aborting

============== End - from playbook output that fails ===

================ Start - from Github SSH-key test that fails ===

TASK: [Execute command - check SSH-key access to GitHub]
**********************
<111.222.333.444> ESTABLISH CONNECTION FOR USER: MyUbuntuUser
<111.222.333.444> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o
ControlPersist=60s -o
ControlPath="/Users/MyOSXuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o
Port=8023 -o KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o User=MyUbuntuUser -o ConnectTimeout=10
111.222.333.444 /bin/sh -c 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052 && chmod a+rx
$HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052 && echo
$HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052'
<111.222.333.444> PUT
/var/folders/jv/z2wn_pn52l76vtv84tsj2yf40000gx/T/tmpodUAD4 TO
/home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/command
<111.222.333.444> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o
ControlPersist=60s -o
ControlPath="/Users/MyOSXuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o
Port=8023 -o KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey
-o PasswordAuthentication=no -o User=MyUbuntuUser -o ConnectTimeout=10
111.222.333.444 /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
/usr/bin/python
/home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/command;
rm -rf
/home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/

/dev/null 2>&1'

failed: [bbb-sandbox-a-pub] => {"changed": true, "cmd": ["/usr/bin/ssh",
22:01:21.784784", "rc": 255, "start": "2015-01-16 22:01:21.671637",
"warnings": []}
stderr: Permission denied (publickey).
FATAL: all hosts have already failed -- aborting
PLAY RECAP
********************************************************************

====================== End - from Github SSH-key test that fails ===

======================= Start - ansible version info ===

$ ansible --version
ansible 1.8.2
configured module search path = None

====================== End - ansible version info ===

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/5ee1ffe2-6f7b-4f1d-b059-81c0a27ed45b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Paul Hardwick

2015-02-04 17:16:18 UTC

Permalink

OK let me try this a different way.

First let me verify that should work for Private repositories and not just
Public ones.

Are there any special options that need/should be added to the master
config file or as options when calling the containing Playbook?

Any ideas or even questions that might point me in the right direction
appreciated.

Post by Paul Hardwick
Hello Ansiblers,
I am trying use ansible to bring in a Private GITHUB repository and am
having issues and getting "Permission denied (publickey)." I've done some
digging and checked the ideas I came across on the mailing list so far, but
none of them have worked.
- I've opened up the ports in the outbound firewall
- If I do a public repo it works fine, so its not an issue reaching GITHUB
in general just the Private repositories.
- If I try to clone the Private repository manually on the destination
server it works correctly
directly but fails under Ansible in a playbook using command.
So it would seem like the SSH key info isn't being passed along. BTW I've
tried the github ssh-key test both with and without SUDO auth. And it fails
either way. The SSH-key is the same for my SSH login and github.
I have included the log of the original failure and the github test for
recognition of the users SSH-Key
Any clues of things I can check or what I might be doing wrong would be
appreciated.
Thanks,
Paul
================ Start - from playbook output that fails ===

============== End - from playbook output that fails ===
================ Start - from Github SSH-key test that fails ===

/dev/null 2>&1'

====================== End - from Github SSH-key test that fails ===
======================= Start - ansible version info ===

$ ansible --version
ansible 1.8.2
configured module search path = None

====================== End - ansible version info ===

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/29af652d-0bed-484b-a86d-2c63dfd4b482%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Toshio Kuratomi

2015-02-04 17:36:10 UTC

Permalink

Private repositories should work. Here's a playbook I just ran to test:

---
- hosts: localhost
tasks:
- git:
repo: ***@github.com:ansible/****.git
accept_hostkey: True
dest: /var/tmp/private-checkout

From the sounds of it, I think you're right about the ssh key not
being used is the culprit. So my question would be how are you
setting things up so that ssh key is found and used by ansible? Are
you relying on ssh-agent forwarding or are you copying the private key
to the remote server beforehand? Is the key available to the correct
remote account user? etc.

-Toshio

Post by Paul Hardwick
OK let me try this a different way.
First let me verify that should work for Private repositories and not just
Public ones.
Are there any special options that need/should be added to the master config
file or as options when calling the containing Playbook?
Any ideas or even questions that might point me in the right direction
appreciated.

============== End - from playbook output that fails ===
================ Start - from Github SSH-key test that fails ===

TASK: [Execute command - check SSH-key access to GitHub]
**********************
<111.222.333.444> ESTABLISH CONNECTION FOR USER: MyUbuntuUser
<111.222.333.444> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o
ControlPersist=60s -o
ControlPath="/Users/MyOSXuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=8023
-o KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o
PasswordAuthentication=no -o User=MyUbuntuUser -o ConnectTimeout=10
111.222.333.444 /bin/sh -c 'mkdir -p
$HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052 && chmod a+rx
$HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052 && echo
$HOME/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052'
<111.222.333.444> PUT
/var/folders/jv/z2wn_pn52l76vtv84tsj2yf40000gx/T/tmpodUAD4 TO
/home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/command
<111.222.333.444> EXEC ssh -C -tt -vvv -o ControlMaster=auto -o
ControlPersist=60s -o
ControlPath="/Users/MyOSXuser/.ansible/cp/ansible-ssh-%h-%p-%r" -o Port=8023
-o KbdInteractiveAuthentication=no -o
PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o
PasswordAuthentication=no -o User=MyUbuntuUser -o ConnectTimeout=10
111.222.333.444 /bin/sh -c 'LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8
/usr/bin/python
/home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/command;
rm -rf
/home/MyUbuntuUser/.ansible/tmp/ansible-tmp-1421445689.53-55058409970052/

/dev/null 2>&1'

====================== End - from Github SSH-key test that fails ===
======================= Start - ansible version info ===

$ ansible --version
ansible 1.8.2
configured module search path = None

====================== End - ansible version info ===

--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/29af652d-0bed-484b-a86d-2c63dfd4b482%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+***@googlegroups.com.
To post to this group, send email to ansible-***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG9juEqTF1LA6_j0FJNrTsN6SUgNr4sijThY%2Bntibs1tLyzd7w%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Paul Hardwick

2015-07-21 20:02:59 UTC

Permalink

Sorry for the extra long delay in responding but I didn't your reply come
in and I had been doing the git pulls manually just to get past it. I have
been revisiting the issue since we may be moving to AWS and I've been
trying to setup some new playbook to cover everything.

I've been relying on agent forwarding, not actually copying over the
private key.

Public still works. But Private is still giving me fits. My playbook is
almost identical to the one you posted. Except I ran on the remote server
and not localhost

- I verified that AgentForwarding is being used "EXEC ssh -C -tt -vvv -o
ForwardAgent=yes -" is in the log

- If I do basically the exact same steps manually it works.(using same SSH
keypair to login to the same server)

- "ssh -T ***@github.com" works natively on the server via SSH, but fails
when run via playbook

- name: Execute command - check SSH-key access to GitHub
command: /usr/bin/ssh -T ***@github.com

the output with server ID obscured
TASK: [Execute command - check SSH-key access to GitHub]
**********************
failed: [ec2-00-00-00-00.us-xxxxx-2.compute.amazonaws.com] => {"changed":
true, "cmd": ["/usr/bin/ssh", "-T", "***@github.com"], "delta":
"0:00:00.496378", "end": "2015-07-21 19:51:54.642785", "rc": 255, "start": "2015-07-21
19:51:54.146407", "warnings": []}
stderr: Permission denied (publickey).

FATAL: all hosts have already failed -- aborting

I am going to a Ubuntu14LTS server and running Ver1.9.2 of ansible now,
but and earlier version during my prior attempts

Any Solid clues appreciated. I'm still digging thru the other threads but
nothing matches yet.
Paul

Post by Toshio Kuratomi
---
- hosts: localhost
accept_hostkey: True
dest: /var/tmp/private-checkout
From the sounds of it, I think you're right about the ssh key not
being used is the culprit. So my question would be how are you
setting things up so that ssh key is found and used by ansible? Are
you relying on ssh-agent forwarding or are you copying the private key
to the remote server beforehand? Is the key available to the correct
remote account user? etc.
-Toshio

Post by Paul Hardwick
OK let me try this a different way.
First let me verify that should work for Private repositories and not

just

Post by Paul Hardwick
Public ones.
Are there any special options that need/should be added to the master

config

Post by Paul Hardwick
file or as options when calling the containing Playbook?
Any ideas or even questions that might point me in the right direction
appreciated.

Post by Paul Hardwick
Hello Ansiblers,
I am trying use ansible to bring in a Private GITHUB repository and am
having issues and getting "Permission denied (publickey)." I've done

some