ansible-raspi-config
ansible-raspi-config copied to clipboard
mikolak-net
raspi_config_replace_user
Hi,
I am new to Ansible sorry I don't understand very well everything I am using this role to test it against a Pi 3B+
When using it along `raspi_config_replace_user' it says
TASK [mikolak-net.raspi_config : optional warning]
******************************************************************************************************
fatal: [10.0.0.2]: FAILED! => {
"msg": "ABLE TO SSH IN WITH FACTORY CREDENTIALS - ASSUME PWNED IF SSH OPEN TO THE INTERNET"
}
I think it says that because it stills has available user "pi" with password "raspberry". Then in another task, I could delete the user, but my question is, why this role doesn't change it? I just want to log in to the Pi through the default credentials and then blocking them, only allowing to connect through ssh to this user and only with the public key of the ansible server.
I know it advises that post_tasks will not continue if it has the default credentials, but why?
Thank you!
Hi,
if I understand you correctly, the role pretty much already does what you describe, i.e. it logs in with the default credentials, adds a custom user, and then removes the default credentials.
However, for this to work, you need to have the raspi_config_replace_user configuration key set correctly. Here's an example from the Readme:
roles:
- role: mikolak-net.raspi_config
raspi_config_replace_user:
name: mainuser
path_to_ssh_key: "~/.ssh/my_pub_key_id_rsa.pub"
If you have the configuration key set up correctly, and, after running the role, the default credentials are still present, then there's a bug. Please let me know whether this is the case.
Hi,
Yes, then really after running it, it creates the user and I can log in via public cert to that new user. But the thing is that the role does that strange check and it fails. Now I've tried in the playbook to set
ignore_errors: yes
And it continues after erroring... But I think that's not optimal! And also, the user "pi" with password "raspberry" continues being available... So I have to create a play just to remove it. Also suboptimal.
Thank you for helping and thank you for creating this great role! Let's do it better together!
I'm seeing the same thing as DrumSergio, just to confirm.
I've set up my ansible playbook as such:
1 - hosts: "{{ host }}"
2 remote_user: pi
3 become: true
4 vars:
5 raspi_config_timezone: America/Vancouver
6 vars_prompt:
7 - name : host
8 prompt: "Enter host"
9 private: no
10 when: host == ""
11 - name : raspi_config_hostname
12 prompt: "Enter new hostname"
13 private: no
14 when: raspi_config_hostname == ""
15 pre_tasks:
16 - name: Get vim, tmux, etc
17 apt:
18 name: vim,tmux,mercurial
19 roles:
20 - role: mikolak-net.raspi_config
21 raspi_config_replace_user:
22 name: eddie
23 path_to_ssh_key: "~/.ssh/id_rsa.pub"
And my ansible version is:
ansible-galaxy 2.7.4 config file = /etc/ansible/ansible.cfg configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible-galaxy python version = 2.7.15rc1 (default, Nov 12 2018, 14:31:15) [GCC 7.3.0]
Lastly, the output looks like it warns and then tries to do the run handler and fails? I'm not certain:
TASK [oefenweb.locales : set default locale] ********************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [Stouts.hostname : Update hostname] ************************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [Stouts.hostname : Update /etc/hostname] *******************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [Stouts.hostname : Update /etc/hosts pt. 1] ****************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [Stouts.hostname : Update /etc/hosts pt. 2] ****************************************************************************************************************************************************************************************************************************************************
TASK [mikolak-net.raspi_config : update all packages] ***********************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [mikolak-net.raspi_config : sets the timezone] *************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [mikolak-net.raspi_config : Create user eddie] *************************************************************************************************************************************************************************************************************************************************
changed: [10.0.0.20]
TASK [mikolak-net.raspi_config : Add your login key to eddie] ***************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [mikolak-net.raspi_config : Add eddie to sudoers] **********************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [mikolak-net.raspi_config : ensure utility present] ********************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [mikolak-net.raspi_config : check for login] ***************************************************************************************************************************************************************************************************************************************************
ok: [10.0.0.20]
TASK [mikolak-net.raspi_config : optional warning] **************************************************************************************************************************************************************************************************************************************************
fatal: [10.0.0.20]: FAILED! => {
"msg": "ABLE TO SSH IN WITH FACTORY CREDENTIALS - ASSUME PWNED IF SSH OPEN TO THE INTERNET"
}
RUNNING HANDLER [mikolak-net.raspi_config : remove default user] ************************************************************************************************************************************************************************************************************************************
to retry, use: --limit @/root/ansible/raspberrypi/initialize-master-node.retry
PLAY RECAP ******************************************************************************************************************************************************************************************************************************************************************************************
10.0.0.20 : ok=16 changed=1 unreachable=0 failed=1
