Why root can't connect to remote server?


#1

This is driving me crazy. When I do: ansible-playbook server.yml -e env=production

PLAY [Ensure necessary variables are defined] **********************************

TASK [Ensure environment is defined] *******************************************
skipping: [localhost]

PLAY [Determine Remote User] ***************************************************

TASK [remote-user : Determine whether to connect as root or admin_user] ********
ok: [46.101.136.20 -> localhost]

TASK [remote-user : Set remote user for each host] *****************************
ok: [46.101.136.20]

TASK [remote-user : Announce which user was selected] **************************
ok: [46.101.136.20] => {
“msg”: “Note: Ansible will attempt connections as user = admin”
}

PLAY [WordPress Server - Install LEMP Stack with PHP 5.6 and MariaDB MySQL] ****

TASK [setup] *******************************************************************
fatal: [46.101.136.20]: UNREACHABLE! => {“changed”: false, “msg”: “ERROR! SSH encountered an unknown error during the connection. We recommend you re-run the command using -vvvv, which will enable SSH debugging output to help diagnose the issue”, “unreachable”: true}

PLAY RECAP *********************************************************************
46.101.136.20 : ok=3 changed=0 unreachable=1 failed=0
localhost : ok=0 changed=0 unreachable=0 failed=0

We can see that it is trying to connect as admin, that means that root wasn’t able to connect. But why?

ssh root@ is working fine, no login prompt. Keys in users.yml are configured with remote host (Github). I checked the keys like 20 times, everything is good. This is a vanilla install.


Best Practice: Passwordless Authentication
#2

@Wassim I’m not sure this is the same issue, but I am reminded of this problem when a user’s ansible couldn’t connect but his manual ssh could. Turned out he was using an SSH key with password authentication and had saved the password so it seemed like his manual ssh was the passwordless ssh that ansible requires.

Could you try your manual ssh connection with PasswordAuthentication=no like this:

ssh -o PasswordAuthentication=no root@46.101.136.20 "echo can_connect" || echo cannot_connect

What output do you get?


#3

@fullyint

wassim at Perle in ~
$ ssh -o PasswordAuthentication=no root@46.101.136.20 “echo can_connect” || echo cannot_connect

can_connect

I’m not using a passphrase with my SSH key if it’s that what you mean.

Edit: When I change admin_user to root in users.yml it works fine…


#4

I haven’t seen this before. Looking at the error msg more closely, I think it may not be an SSH authentication issue. Here is the message I get if I try to connect to your server (unsuccessfully, of course):

PLAY [WordPress Server - Install LEMP Stack with PHP 5.6 and MariaDB MySQL] ***

GATHERING FACTS ***************************************************************
fatal: [46.101.136.20] => SSH Error: Permission denied (publickey,password).
    while connecting to 46.101.136.20:22

My message is SSH Error: Permission denied but your message was simply UNREACHABLE!. I don’t know what would cause that except temporary loss of connectivity, but then I don’t know why a manual ssh connection still worked for you.

In your scenario ansible’s connection as root failed for the task “Determine whether to connect as root or admin_user” but succeeded at the beginning of “PLAY [WordPress Server - Install LEMP Stack with PHP 5.6 and MariaDB MySQL]” (when connecting as admin_user: root). If you’re interested, you could add -vvvv to your ansible-playbook command which will show you the ssh commands ansible is using for each task. You could compare the options/flags on the ssh commands for these two tasks to try to figure out what is different.

However, now that you’ve had an instance of the server being reachable by ansible, I’d encourage you check if the defaults will work. (Change back to the default of admin_user: admin with "{{ admin_user }}" in the users dictionary and rerun server.yml.) If that succeeds, then I guess it was a random connectivity issue.

For more debugging, note that the task that tries to “Determine whether to connect as root or admin_user” is just running the command below to see if ansible can connect to your server as root. I don’t anticipate the result would be different running this command manually, but you could see if it gives you a success output, or if the debug info is helpful:

ansible 46.101.136.20 -m ping -i hosts/production -u root -vvvv

You might also check whether your ~/.ssh/config has any entries applicable to 46.101.136.20 that might conflict with the ssh options you see ansible using via -vvvv. I’m just trying to think of anything that could cause ansible’s ssh connection to differ from your manual ssh connection.

Finally, if you reply, and if the problem persists, let us know which version of ansible you’re on: ansible --version


#5

Really appreciate your help to figure out what’s going wrong here @fullyint :wink:

I spent all the night doing tests with fresh DO droplets and still running with the same issue so I don’t think this is a random connectivity issue.

Adding -vvvv to ansible-playbook shows SSH connecting errors with user admin and provided keys which I do believe is normal.

Strangely when I run the task as you suggest I get a success output:

wassim at Perle in ~/projects/sites/wassim.is/trellis
$ ansible 46.101.136.20 -m ping -i hosts/production -u root -vvvv
Using /Users/wassim/Projects/sites/wassim.is/trellis/ansible.cfg as config file


Loaded callback minimal of type stdout, v2.0
<46.101.136.20> ESTABLISH SSH CONNECTION FOR USER: root
<46.101.136.20> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/wassim/.ansible/cp/ansible-ssh-%h-%p-%r -tt 46.101.136.20 'mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1452934974.88-76994425556988 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1452934974.88-76994425556988 )"'
<46.101.136.20> PUT /var/folders/ff/x0kywtrd2fs7_2c1n521fw2r0000gn/T/tmpmYLQTH TO /root/.ansible/tmp/ansible-tmp-1452934974.88-76994425556988/ping
<46.101.136.20> SSH: EXEC sftp -b - -C -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/wassim/.ansible/cp/ansible-ssh-%h-%p-%r '[46.101.136.20]'
<46.101.136.20> ESTABLISH SSH CONNECTION FOR USER: root
<46.101.136.20> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=root -o ConnectTimeout=10 -o ControlPath=/Users/wassim/.ansible/cp/ansible-ssh-%h-%p-%r -tt 46.101.136.20 'LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1452934974.88-76994425556988/ping; rm -rf "/root/.ansible/tmp/ansible-tmp-1452934974.88-76994425556988/" > /dev/null 2>&1'
46.101.136.20 | SUCCESS => {
    "changed": false,
    "invocation": {
        "module_args": {
            "data": null
        },
        "module_name": "ping"
    },
    "ping": "pong"
}

I don’t have a ~/.ssh/config file. I have ansible 2.0.0.2.

Here is the full output with -vvvv, maybe you could spot something I didn’t.

wassim at Perle in ~/projects/sites/wassim.is/trellis
$ ansible-playbook server.yml -e env=production -vvvv
Using /Users/wassim/Projects/sites/wassim.is/trellis/ansible.cfg as config file
Loaded callback default of type stdout, v2.0
3 plays in server.yml

PLAY [Ensure necessary variables are defined] **********************************

TASK [Ensure environment is defined] *******************************************
task path: /Users/wassim/Projects/sites/wassim.is/trellis/variable-check.yml:8
skipping: [localhost] => {"changed": false, "skip_reason": "Conditional check failed", "skipped": true}

PLAY [Determine Remote User] ***************************************************

TASK [remote-user : Determine whether to connect as root or admin_user] ********
task path: /Users/wassim/Projects/sites/wassim.is/trellis/roles/remote-user/tasks/main.yml:2
ESTABLISH LOCAL CONNECTION FOR USER: wassim
localhost EXEC ( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1452945500.28-235100027086551 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1452945500.28-235100027086551 )" )
localhost PUT /var/folders/ff/x0kywtrd2fs7_2c1n521fw2r0000gn/T/tmpt_Qx3y TO /Users/wassim/.ansible/tmp/ansible-tmp-1452945500.28-235100027086551/command
localhost EXEC LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LC_MESSAGES=en_US.UTF-8 /usr/local/opt/python/bin/python2.7 /Users/wassim/.ansible/tmp/ansible-tmp-1452945500.28-235100027086551/command; rm -rf "/Users/wassim/.ansible/tmp/ansible-tmp-1452945500.28-235100027086551/" > /dev/null 2>&1
ok: [46.101.136.20 -> localhost] => {"changed": false, "cmd": ["ansible", "46.101.136.20", "-m", "ping", "-i", "-u", "root"], "delta": "0:00:00.304961", "end": "2016-01-16 12:58:20.705643", "failed": false, "failed_when_result": false, "invocation": {"module_args": {"_raw_params": "ansible 46.101.136.20 -m ping -i  -u root", "_uses_shell": false, "chdir": null, "creates": null, "executable": null, "removes": null, "warn": true}, "module_name": "command"}, "rc": 5, "start": "2016-01-16 12:58:20.400682", "stderr": "ERROR! Missing target hosts", "stdout": "Usage: ansible <host-pattern> [options]\n\nOptions:\n  -a MODULE_ARGS, --args=MODULE_ARGS\n                        module arguments\n  --ask-become-pass     ask for privilege escalation password\n  -k, --ask-pass        ask for connection password\n  --ask-su-pass         ask for su password (deprecated, use become)\n  -K, --ask-sudo-pass   ask for sudo password (deprecated, use become)\n  --ask-vault-pass      ask for vault password\n  -B SECONDS, --background=SECONDS\n                        run asynchronously, failing after X seconds\n                        (default=N/A)\n  -b, --become          run operations with become (nopasswd implied)\n  --become-method=BECOME_METHOD\n                        privilege escalation method to use (default=sudo),\n                        valid choices: [ sudo | su | pbrun | pfexec | runas |\n                        doas ]\n  --become-user=BECOME_USER\n                        run operations as this user (default=root)\n  -C, --check           don't make any changes; instead, try to predict some\n                        of the changes that may occur\n  -c CONNECTION, --connection=CONNECTION\n                        connection type to use (default=smart)\n  -D, --diff            when changing (small) files and templates, show the\n                        differences in those files; works great with --check\n  -e EXTRA_VARS, --extra-vars=EXTRA_VARS\n                        set additional variables as key=value or YAML/JSON\n  -f FORKS, --forks=FORKS\n                        specify number of parallel processes to use\n                        (default=5)\n  -h, --help            show this help message and exit\n  -i INVENTORY, --inventory-file=INVENTORY\n                        specify inventory host path (default=hosts) or comma\n                        separated host list\n  -l SUBSET, --limit=SUBSET\n                        further limit selected hosts to an additional pattern\n  --list-hosts          outputs a list of matching hosts; does not execute\n                        anything else\n  -m MODULE_NAME, --module-name=MODULE_NAME\n                        module name to execute (default=command)\n  -M MODULE_PATH, --module-path=MODULE_PATH\n                        specify path(s) to module library (default=None)\n  --new-vault-password-file=NEW_VAULT_PASSWORD_FILE\n                        new vault password file for rekey\n  -o, --one-line        condense output\n  --output=OUTPUT_FILE  output file name for encrypt or decrypt; use - for\n                        stdout\n  -P POLL_INTERVAL, --poll=POLL_INTERVAL\n                        set the poll interval if using -B (default=15)\n  --private-key=PRIVATE_KEY_FILE, --key-file=PRIVATE_KEY_FILE\n                        use this file to authenticate the connection\n  --scp-extra-args=SCP_EXTRA_ARGS\n                        specify extra arguments to pass to scp only (e.g. -l)\n  --sftp-extra-args=SFTP_EXTRA_ARGS\n                        specify extra arguments to pass to sftp only (e.g. -f,\n                        -l)\n  --ssh-common-args=SSH_COMMON_ARGS\n                        specify common arguments to pass to sftp/scp/ssh (e.g.\n                        ProxyCommand)\n  --ssh-extra-args=SSH_EXTRA_ARGS\n                        specify extra arguments to pass to ssh only (e.g. -R)\n  -S, --su              run operations with su (deprecated, use become)\n  -R SU_USER, --su-user=SU_USER\n                        run operations with su as this user (default=root)\n                        (deprecated, use become)\n  -s, --sudo            run operations with sudo (nopasswd) (deprecated, use\n                        become)\n  -U SUDO_USER, --sudo-user=SUDO_USER\n                        desired sudo user (default=root) (deprecated, use\n                        become)\n  --syntax-check        perform a syntax check on the playbook, but do not\n                        execute it\n  -T TIMEOUT, --timeout=TIMEOUT\n                        override the connection timeout in seconds\n                        (default=10)\n  -t TREE, --tree=TREE  log output to this directory\n  -u REMOTE_USER, --user=REMOTE_USER\n                        connect as this user (default=None)\n  --vault-password-file=VAULT_PASSWORD_FILE\n                        vault password file\n  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable\n                        connection debugging)\n  --version             show program's version number and exit", "stdout_lines": ["Usage: ansible <host-pattern> [options]", "", "Options:", "  -a MODULE_ARGS, --args=MODULE_ARGS", "                        module arguments", "  --ask-become-pass     ask for privilege escalation password", "  -k, --ask-pass        ask for connection password", "  --ask-su-pass         ask for su password (deprecated, use become)", "  -K, --ask-sudo-pass   ask for sudo password (deprecated, use become)", "  --ask-vault-pass      ask for vault password", "  -B SECONDS, --background=SECONDS", "                        run asynchronously, failing after X seconds", "                        (default=N/A)", "  -b, --become          run operations with become (nopasswd implied)", "  --become-method=BECOME_METHOD", "                        privilege escalation method to use (default=sudo),", "                        valid choices: [ sudo | su | pbrun | pfexec | runas |", "                        doas ]", "  --become-user=BECOME_USER", "                        run operations as this user (default=root)", "  -C, --check           don't make any changes; instead, try to predict some", "                        of the changes that may occur", "  -c CONNECTION, --connection=CONNECTION", "                        connection type to use (default=smart)", "  -D, --diff            when changing (small) files and templates, show the", "                        differences in those files; works great with --check", "  -e EXTRA_VARS, --extra-vars=EXTRA_VARS", "                        set additional variables as key=value or YAML/JSON", "  -f FORKS, --forks=FORKS", "                        specify number of parallel processes to use", "                        (default=5)", "  -h, --help            show this help message and exit", "  -i INVENTORY, --inventory-file=INVENTORY", "                        specify inventory host path (default=hosts) or comma", "                        separated host list", "  -l SUBSET, --limit=SUBSET", "                        further limit selected hosts to an additional pattern", "  --list-hosts          outputs a list of matching hosts; does not execute", "                        anything else", "  -m MODULE_NAME, --module-name=MODULE_NAME", "                        module name to execute (default=command)", "  -M MODULE_PATH, --module-path=MODULE_PATH", "                        specify path(s) to module library (default=None)", "  --new-vault-password-file=NEW_VAULT_PASSWORD_FILE", "                        new vault password file for rekey", "  -o, --one-line        condense output", "  --output=OUTPUT_FILE  output file name for encrypt or decrypt; use - for", "                        stdout", "  -P POLL_INTERVAL, --poll=POLL_INTERVAL", "                        set the poll interval if using -B (default=15)", "  --private-key=PRIVATE_KEY_FILE, --key-file=PRIVATE_KEY_FILE", "                        use this file to authenticate the connection", "  --scp-extra-args=SCP_EXTRA_ARGS", "                        specify extra arguments to pass to scp only (e.g. -l)", "  --sftp-extra-args=SFTP_EXTRA_ARGS", "                        specify extra arguments to pass to sftp only (e.g. -f,", "                        -l)", "  --ssh-common-args=SSH_COMMON_ARGS", "                        specify common arguments to pass to sftp/scp/ssh (e.g.", "                        ProxyCommand)", "  --ssh-extra-args=SSH_EXTRA_ARGS", "                        specify extra arguments to pass to ssh only (e.g. -R)", "  -S, --su              run operations with su (deprecated, use become)", "  -R SU_USER, --su-user=SU_USER", "                        run operations with su as this user (default=root)", "                        (deprecated, use become)", "  -s, --sudo            run operations with sudo (nopasswd) (deprecated, use", "                        become)", "  -U SUDO_USER, --sudo-user=SUDO_USER", "                        desired sudo user (default=root) (deprecated, use", "                        become)", "  --syntax-check        perform a syntax check on the playbook, but do not", "                        execute it", "  -T TIMEOUT, --timeout=TIMEOUT", "                        override the connection timeout in seconds", "                        (default=10)", "  -t TREE, --tree=TREE  log output to this directory", "  -u REMOTE_USER, --user=REMOTE_USER", "                        connect as this user (default=None)", "  --vault-password-file=VAULT_PASSWORD_FILE", "                        vault password file", "  -v, --verbose         verbose mode (-vvv for more, -vvvv to enable", "                        connection debugging)", "  --version             show program's version number and exit"], "warnings": []}

TASK [remote-user : Set remote user for each host] *****************************
task path: /Users/wassim/Projects/sites/wassim.is/trellis/roles/remote-user/tasks/main.yml:8
ok: [46.101.136.20] => {"ansible_facts": {"ansible_ssh_user": "admin"}, "changed": false, "invocation": {"module_args": {"ansible_ssh_user": "admin"}, "module_name": "set_fact"}}

TASK [remote-user : Announce which user was selected] **************************
task path: /Users/wassim/Projects/sites/wassim.is/trellis/roles/remote-user/tasks/main.yml:12
ok: [46.101.136.20] => {
    "msg": "Note: Ansible will attempt connections as user = admin"
}

PLAY [WordPress Server - Install LEMP Stack with PHP 5.6 and MariaDB MySQL] ****

TASK [setup] *******************************************************************
<46.101.136.20> ESTABLISH SSH CONNECTION FOR USER: admin
<46.101.136.20> SSH: EXEC ssh -C -vvv -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/Users/wassim/.ansible/cp/ansible-ssh-%h-%p-%r -tt 46.101.136.20 '( umask 22 && mkdir -p "$( echo $HOME/.ansible/tmp/ansible-tmp-1452945500.99-56678584603749 )" && echo "$( echo $HOME/.ansible/tmp/ansible-tmp-1452945500.99-56678584603749 )" )'
fatal: [46.101.136.20]: UNREACHABLE! => {"changed": false, "msg": "ERROR! SSH encountered an unknown error. The output was:\nOpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015\r\ndebug1: Reading configuration data /usr/local/etc/ssh/ssh_config\r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/Users/wassim/.ansible/cp/ansible-ssh-46.101.136.20-22-admin\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to 46.101.136.20 [46.101.136.20] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 9691 ms remain after connect\r\ndebug1: identity file /Users/wassim/.ssh/id_rsa type 1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_rsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_dsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_dsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_ecdsa type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_ecdsa-cert type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_ed25519 type -1\r\ndebug1: key_load_public: No such file or directory\r\ndebug1: identity file /Users/wassim/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_7.1\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3\r\ndebug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 pat OpenSSH_6.6.1* compat 0x04000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: Authenticating to 46.101.136.20:22 as 'admin'\r\ndebug3: hostkeys_foreach: reading file \"/Users/wassim/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type ECDSA in file /Users/wassim/.ssh/known_hosts:1\r\ndebug3: load_hostkeys: loaded 1 keys from 46.101.136.20\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1\r\ndebug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa\r\ndebug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: first_kex_follows 0 \r\ndebug2: reserved 0 \r\ndebug1: kex: server->client chacha20-poly1305@openssh.com <implicit> zlib@openssh.com\r\ndebug1: kex: client->server chacha20-poly1305@openssh.com <implicit> zlib@openssh.com\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: ecdsa-sha2-nistp256 SHA256:HGIBUqe80IruvA6w0l85MmOiCZyW9vU0CtwhDwR9mGs\r\ndebug3: hostkeys_foreach: reading file \"/Users/wassim/.ssh/known_hosts\"\r\ndebug3: record_hostkey: found key type ECDSA in file /Users/wassim/.ssh/known_hosts:1\r\ndebug3: load_hostkeys: loaded 1 keys from 46.101.136.20\r\ndebug1: Host '46.101.136.20' is known and matches the ECDSA host key.\r\ndebug1: Found key in /Users/wassim/.ssh/known_hosts:1\r\ndebug2: set_newkeys: mode 1\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug2: set_newkeys: mode 0\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug2: key: /Users/wassim/.ssh/id_rsa (0x7f91a3c09260),\r\ndebug2: key: /Users/wassim/.ssh/id_dsa (0x0),\r\ndebug2: key: /Users/wassim/.ssh/id_ecdsa (0x0),\r\ndebug2: key: /Users/wassim/.ssh/id_ed25519 (0x0),\r\ndebug1: Authentications that can continue: publickey,password\r\ndebug3: start over, passed a different list publickey,password\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: ,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Offering RSA public key: /Users/wassim/.ssh/id_rsa\r\ndebug3: send_pubkey_test\r\ndebug2: we sent a publickey packet, wait for reply\r\ndebug1: Authentications that can continue: publickey,password\r\ndebug1: Trying private key: /Users/wassim/.ssh/id_dsa\r\ndebug3: no such identity: /Users/wassim/.ssh/id_dsa: No such file or directory\r\ndebug1: Trying private key: /Users/wassim/.ssh/id_ecdsa\r\ndebug3: no such identity: /Users/wassim/.ssh/id_ecdsa: No such file or directory\r\ndebug1: Trying private key: /Users/wassim/.ssh/id_ed25519\r\ndebug3: no such identity: /Users/wassim/.ssh/id_ed25519: No such file or directory\r\ndebug2: we did not send a packet, disable method\r\ndebug1: No more authentication methods to try.\r\nPermission denied (publickey,password).\r\n", "unreachable": true}

PLAY RECAP *********************************************************************
46.101.136.20              : ok=3    changed=0    unreachable=1    failed=0
localhost                  : ok=0    changed=0    unreachable=0    failed=0

#6

Edit: I’m so stupid. I should’ve tried to use other ansible versions than the latest one. Everything is working fine with ansible 1.9.4. Thanks again @fullyint and sorry for the hassle!


#7

@Wassim Thanks for helping us discover the incompatibility with Ansible 2.0.0.2. That was a lot of work! It led to a fix in roots/trellis#470, so this problem no longer exists for Ansible 2.0+. However, you might want to stay on v1.9.4 till Ansible updates the deploy_helper module (see notes in roots/trellis#469)


#8

Just for future reference, I was getting a similar issue. When I provisioned to production I was getting this error:

TASK [Install Python 2.x] ******************************************************
System info:
  Ansible 2.2.1.0; Darwin
  Trellis at "Allow customization of PHP extensions"
---------------------------------------------------
Incorrect sudo password
fatal: [domain]: FAILED! => {"failed": true}
	to retry, use: --limit @/Users/username/Sites/project/trellis/server.retry

I was on ansible 2.2.1.0. When I downgraded to 2.2 (pip install -I ansible==2.2), it resolved the issue.