Disabling root login while using --ask-vault-pass - ERROR! Decryption failed

Having trouble disabling the root login.

Note, we are using ansible-vault to encrypt our vault files, but we are not storing the password in a file - instead, we us --ask-vault-pass and enter it manually.

Possibly due to the above, we are asked for our password twice during the initial stages of server.yml:

$ ansible-playbook server.yml -e env=staging --ask-vault-pass
Vault password: 

PLAY [Ensure necessary variables are defined] **********************************

TASK [Ensure environment is defined] *******************************************
skipping: [localhost]

PLAY [Determine Remote User] ***************************************************

TASK [remote-user : Determine whether to connect as root or admin_user] ********
Vault password: 
ok: [ -> localhost]

TASK [remote-user : Set remote user for each host] *****************************
ok: []

TASK [remote-user : Announce which user was selected] **************************
Note: Ansible will attempt connections as user = root
ok: []

The playbook continues as normal, but then when we get to the disabling of root login:

TASK [users : Check whether Ansible can connect as admin_user] *****************
ERROR! Decryption failed
ok: [ -> localhost]

TASK [users : Fail if root login will be disabled but admin_user cannot connect] ***
System info:
  Ansible; Darwin
  Trellis at "Fix #569 - Only skip subdomains for non-www domains"
The admin_user is unable to connect to the server. To prevent you from losing
access to your server, the playbook has halted before disabling root login
(`sshd_permit_root_login: false`). Ensure that the admin_user appears in your
`users` hash with a valid entry for `keys`.
fatal: []: FAILED! => {"changed": false, "failed": true}

Note the decryption failed message - it’s as if it wanted to look at the vault at that point, but didn’t ask us for the password.

I can successfully log in over ssh (using keys not password) with both root@X.X.X.X and admin@X.X.X.X, so the problem is not the keys.

@discopatrick Thanks for reporting this. I’m sad you had to discover it. I’ve proposed a fix at roots/trellis#582.

Yes, when you use --ask-vault-pass you will have to enter the password on these occasions:

  • immediately after running the ansible-playbook command, so that Ansible can decrypt your files and get started
  • as part of the remote-user role’s ping command that tests whether it can connect at root
  • as part of the user role’s ping command that tests whether the admin_user will be able to connect, (only if sshd_permit_root_login: false)

Although the playbook triggers execution of the two ping commands above, these are Ansible “ad hoc commands” and thus Ansible treats them separately, not using the Vault pass you typed the first time.

There may be some way of capturing the password the first time you enter it, making it available for subsequent needs, but so far Trellis has avoided trying to store passwords in memory or temp files. Feel free to dig in to the code and propose improvements to this process.