Ansible playbooks on systems configured with a fingerprint reader
- If you have a working fingerprint reader on your linux laptop or workstation, you are likely using it for authenticating privilege escalation.
For instance
sudowill prompt such as:
> $ sudo su
Place your finger on the fingerprint reader
- I like to run Ansible playbooks on my devices for routine maintenance and updates.
- However, Ansible does not supports MFA, which means that when using
--ask-become-pass, the system first prompt for the fingerprint and does not fallback to a password prompt, resulting in a timeout. Link: https://github.com/ansible/ansible/issues/3345
[...]
TASK [Gathering Facts] **************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "timeout waiting for privilege escalation password prompt:\n"}
- Ansible has no plan to support this and fixing this issue would require a rewrite of the
becomemodule. - There are 2 workarounds:
- If your playbook target is a remote machine, the easiest workaround is the disable the fingerprint scanner auth for a specific user in the PAM and then use that user as your playbook’s
remote_user. - If the playbook is executed from and to the sames machine, for instance with
hosts: localhost, simply press your fingerprint reader when Ansible starts gathering facts:
TASK [Gathering Facts]
If successful, the playbook will carry on an you’ll see the following notice in the console logs:
TASK [Gathering Facts] ************************************************************************************************************
[WARNING]: Module invocation had junk after the JSON data: Place your finger on the fingerprint reader
- Not very clean but this gets the job done.