SSH Fails Due to Key File Permissions When I Try to Provision a Vagrant VM with Ansible on Windows/Cygwin

Question

I’m using Cygwin (CYGWIN_NT-6.3-WOW64) under Windows 8. I’m also running Vagrant (1.7.2) and Ansible (1.8.4). To be complete, my Virtualbox is 4.3.22.

Cygwin and Vagrant have been installed from their respective Windows install packages. I’m running Python 2.7.8 under Cygwin and used ‘pip install ansible’ to install Ansible.

All of these applications work fine in their own right. Cygwin works wonderfully; I use it as my shell all day, every day with no problems.

Vagrant and Virtualbox also work with no problems when I run Vagrant under Cygwin. Ansible works fine under Cygwin as well when I run plays or modules against the servers on my network.

The problem I run into is when I try to use Ansible to provision a Vagrant VM running locally.

For example, I vagrant up a VM and then draft a simple playbook to provision it. Following are the Vagrantfile:

VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.define :drupal1 do |config|
  config.vm.box = "centos65-x86_64-updated"
  config.vm.hostname = "drupal1"
  config.vm.network "forwarded_port", guest: 80, host: 10080
  config.vm.network :private_network, ip: "192.168.56.101"
  config.vm.provider "virtualbox" do |v|
    v.name   = "Drupal Server 1"
    v.memory = 1024
  end
  config.vm.provision :ansible do |ansible|
    ansible.playbook = "provisioning/gather_facts.yml"
  end
end

and playbook:

---
- hosts: all
  gather_facts: yes

However, when I run ‘vagrant provision drupal1’, I get the following error:

vagrant provision drupal1 ==> drupal1: Running provisioner: ansible... PYTHONUNBUFFERED=1 ANSIBLE_FORCE_COLOR=true ANSIBLE_HOST_KEY_CHECKING=false ANSIBLE_SSH_ARGS='-o UserKnownHostsFile=/dev/null -o ControlMaster=auto -o ControlPersist=60s' ansible-playbook --private-key=C:/Users/mjenkins/workspace/Vagrant_VMs/Drupal1/.vagrant/machines/drupal1/virtualbox/private_key --user=vagrant --connection=ssh --limit='drupal1' --inventory-file=C:/Users/mjenkins/workspace/Vagrant_VMs/Drupal1/.vagrant/provisioners/ansible/inventory provisioning/gather_facts.yml PLAY [all] GATHERING FACTS fatal: [drupal1] => private_key_file (C:/Users/mjenkins/workspace/Vagrant_VMs/Drupal1/.vagrant/machines/drupal1/virtualbox/private_key) is group-readable or world-readable and thus insecure - you will probably get an SSH failure PLAY RECAP

to retry, use: --limit @/home/mjenkins/gather_facts.retry

drupal1 : ok=0 changed=0 unreachable=1
failed=0 Ansible failed to complete successfully. Any error output should be visible above. Please fix these errors and try again. Looking at the error, its plainly obvious that it has something to do with Ansible’s interpretation of my key and the file permissions on either it or the folder its in.

Here are a few observations and steps I’ve tried:

1. I tried setting the permissions on the file and all the directories leading up to the file in Cygwin. That is chmod -R 700 .vagrant in the project directory. Still got the same error.

2. The key file is being referenced using a Windows path, not a Cygwin path (odd, though, that the file in the limit output has a Cygwin path). So I checked the permissions from the Windows side and changed it so that ‘Everyone’ has no access to .vagrant and all files/folders under it. Still got the same error.

3. Then I thought there might still be some problems with the file permissions/paths between my Cygwin based Ansible so I installed Python for Windows; used that pip to install Ansible, set my paths to that location, created an ansible-playbook.bat file, and ran Vagrant from a Windows cmd shell. Glad to say that tool chain worked….but I still got the same problem.

At this point I’m just about out of ideas so I turn to you, friends of Stackoverflow, for your input.

Any thoughts on solving this problem?

Answer 1

Your private key is very open and accessible by anyone. A check in SSH client prevents using such keys.

Try changing permissions with chmod from your cygwin or git bash, on your private and public keys. On C:/Users/mjenkins/workspace/Vagrant_VMs/Drupal1/.vagrant/machines/drupal1/virtualbox/private_key with chmod 700 private_key and ensure you have -rwx------ with ls -la