ssh passphrase not working in rundeck ansible resource module

[kedar9696]

ssh passphrase not working in rundeck ansible resource module it is working in Node Executor using SSH

• i have created a project using ansible resource model . i have added ssh-key and passphrase for that key in key-storage, when i tried to scan nodes by passing ansible inventory iam getting below error
  Getting Below error

PLAY [all] *********************************************************************

TASK [Gathering Facts] *********************************************************
fatal: [qa-live.corp]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: dev.ops@qa-live.corp: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).", "unreachable": true}

It is working from cli

rundeck@5c4c23700c44:~/projects/gra-ops/inventories/local$ ansible all-m ping -i qa.yaml -u dev.ops --private-key=devops.pem 
Enter passphrase for key '/home/rundeck/projects/gra-ops/inventories/local/devops.pem': 
qa-live.corp | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python"
    },
    "changed": false,
    "ping": "pong"
} 

Rundeck version : 5.3.0
Ansible Version : 2.16.8

My Observations :

It seems that the issue may be related to the handling of the SSH key passphrase. Here are the key observations:

1. Passphrase Prompt in CLI: When running the Ansible command from the CLI, it prompts for the SSH key passphrase. Once the passphrase is entered and stored in the session, the node becomes visible in the Rundeck UI.
2. Node Disappears After Some Time: After some time, the node disappears from the Rundeck UI.
3. Passphrase Required Again: When checking again via the CLI, it prompts for the passphrase once more, indicating that the passphrase needs to be re-entered to establish the connection.

Summary
The root cause seems to be the handling and persistence of the SSH key passphrase. When the passphrase is entered and stored in the CLI session, the node becomes accessible. However, once the session expires or is reset, the passphrase needs to be re-entered for the node to be accessible again.

[jimr6007]

me too, this was working a week or so ago, going to try rolling back the plugin version

plugin ver: 4.0.4
RD version v5.4.0-20240618

sorry, I should be more specific, I have some jobs where I actually pass the password via a rundeck job option, user enters password, now failing with

fatal: [my-inventory-host...]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).", "unreachable": true}

from cli though it woeks as expected

ansible -i ./sso-inventory -m command -a whoami all -l my-inventory-host... -u jrichard -k

ansible.debug=true is showing me a null pointer exception

[2024-07-22T15:50:51,376] ERROR resources.ExceptionCatchingResourceModelSource - [ResourceModelSource: 2.source (com.batix.rundeck.plugins.AnsibleResourceModelSourceFactory), project: AnsibleJobs]
java.lang.NullPointerException: null
        at com.rundeck.plugins.ansible.plugin.AnsibleResourceModelSource.ansibleInventoryList(AnsibleResourceModelSource.java:717) ~[?:?]
        at com.rundeck.plugins.ansible.plugin.AnsibleResourceModelSource.getNodes(AnsibleResourceModelSource.java:403) ~[?:?]
        at com.dtolabs.rundeck.core.resources.ExceptionCatchingResourceModelSource.getNodes(ExceptionCatchingResourceModelSource.java:58) [rundeck-core-5.4.0-20240618.jar!/:?]
        at com.dtolabs.rundeck.core.resources.DelegateResourceModelSource.getNodes(DelegateResourceModelSource.java:35) [rundeck-core-5.4.0-20240618.jar!/:?]
        at com.dtolabs.rundeck.core.common.ProjectNodeSupport.getNodeSet(ProjectNodeSupport.java:137) [rundeck-core-5.4.0-20240618.jar!/:?]
        at com.dtolabs.rundeck.core.common.ProjectNodeSupport$ProjectNodesSource.getNodes(ProjectNodeSupport.java:358) [rundeck-core-5.4.0-20240618.jar!/:?]
        at com.dtolabs.rundeck.core.resources.ExceptionCatchingResourceModelSource.getNodes(ExceptionCatchingResourceModelSource.java:58) [rundeck-core-5.4.0-20240618.jar!/:?]
        at com.dtolabs.rundeck.core.resources.ResourceModelSource$getNodes.call(Unknown Source) [rundeck-core-5.4.0-20240618.jar!/:?]
        at rundeck.services.nodes.CachedProjectNodes.reloadNodeSet(CachedProjectNodes.groovy:44) [classes!/:?]
        at rundeck.services.nodes.CachedProjectNodes$reloadNodeSet.call(Unknown Source) [classes!/:?]
        at rundeck.services.NodeService$_loadNodes_closure4.doCall(NodeService.groovy:295) [classes!/:?]
        at rundeck.services.NodeService$_loadNodes_closure4.doCall(NodeService.groovy) [classes!/:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
        at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) [groovy-3.0.19.jar!/:3.0.19]
        at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) [groovy-3.0.19.jar!/:3.0.19]
        at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:274) [groovy-3.0.19.jar!/:3.0.19]
        at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1030) [groovy-3.0.19.jar!/:3.0.19]
        at groovy.lang.Closure.call(Closure.java:427) [groovy-3.0.19.jar!/:3.0.19]
        at groovy.lang.Closure.call(Closure.java:406) [groovy-3.0.19.jar!/:3.0.19]
        at com.codahale.metrics.Timer.time(Timer.java:118) [metrics-core-4.2.22.jar!/:4.2.22]
        at org.grails.plugins.metricsweb.MetricService.withTimer(MetricService.groovy:61) [grails-metricsweb-5.4.0-20240618-plain.jar!/:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]

[jimr6007]

not sure if this is relevant but I am finding recently that (maybe this was always the case with Rundeck) when user input is involved with something on the Rundeck UI, Windows style CR/LF are finding there way into the system which is going to cause problems of course.

An example is trying to use the key store to store an ssh key. If I use rd cli via bash to upload the key value from a file it works fine but if I copy/paste the key value data into the UI, no dice.

I have a script that dumps my RD configs and some of the files when viewed with vim have the ^M line endings.

I have a strong suspicion that my jobs that used to work via password entered into an "option" that are now failing is related to extra CR/LF's finding their way into places they should not be