Having trouble disabling the root login.
Note, we are using ansible-vault to encrypt our vault files, but we are not storing the password in a file - instead, we us --ask-vault-pass
and enter it manually.
Possibly due to the above, we are asked for our password twice during the initial stages of server.yml:
$ ansible-playbook server.yml -e env=staging --ask-vault-pass
Vault password:
PLAY [Ensure necessary variables are defined] **********************************
TASK [Ensure environment is defined] *******************************************
skipping: [localhost]
PLAY [Determine Remote User] ***************************************************
TASK [remote-user : Determine whether to connect as root or admin_user] ********
Vault password:
ok: [178.62.19.91 -> localhost]
TASK [remote-user : Set remote user for each host] *****************************
ok: [178.62.19.91]
TASK [remote-user : Announce which user was selected] **************************
Note: Ansible will attempt connections as user = root
ok: [178.62.19.91]
The playbook continues as normal, but then when we get to the disabling of root login:
TASK [users : Check whether Ansible can connect as admin_user] *****************
ERROR! Decryption failed
ok: [178.62.19.91 -> localhost]
TASK [users : Fail if root login will be disabled but admin_user cannot connect] ***
System info:
Ansible 2.0.1.0; Darwin
Trellis at "Fix #569 - Only skip subdomains for non-www domains"
---------------------------------------------------
The admin_user is unable to connect to the server. To prevent you from losing
access to your server, the playbook has halted before disabling root login
(`sshd_permit_root_login: false`). Ensure that the admin_user appears in your
`users` hash with a valid entry for `keys`.
fatal: [178.62.19.91]: FAILED! => {"changed": false, "failed": true}
Note the decryption failed
message - it’s as if it wanted to look at the vault at that point, but didn’t ask us for the password.
I can successfully log in over ssh (using keys not password) with both root@X.X.X.X
and admin@X.X.X.X
, so the problem is not the keys.