Ansible raw module - how to handle the password prompt on SFTP/SCP?

Question

For an ansible playbook to copy over a file on a target Junos machine, I need the raw module and sftp/scp to use.

The target machine (Junos) doesn't have python, so I have only raw module on the ansible side to run commands. And I've been trying sftp/scp both require the password to be entered on the prompt, but not getting it working using raw module.

If the copy command could be done in a single line, that'd work too, but the target machine doesn't have sshpass too. So, I'd hope to get any workaround so password can be provided on the prompt from raw module of ansible playbook.

This is from the Junos, sftp works fine after providing password on prompt.

root@:~ # sftp <username>@host:/file/location/file destFile
<username>@host's password:

And the playbook has the same command for raw but, can't handle the prompt for password even using multiple commands setting for raw using (;/&&).

     - name: "Copy config file on Junos"
#       raw: sftp <username>@host:/file/location/file destFile && <password>
#       raw: sftp <username>@host:/file/location/file destFile;<password>
       raw: sftp <username>@host:/file/location/file destFile
       register: disp
     - name: "Print disp"
       debug:
         var: disp

In short, how can I manipulate using the raw module of ansible to allow providing the password on the prompt?

Vladimir Botka · Answer 1 · 2023-03-24T02:27:36.877

Q: "Ansible raw module providing the password on the prompt."

A: The module raw is not able to provide a password. You'll have to script it. See Automatically enter SSH password with script

^{#!/usr/bin/expect
set timeout 20
set cmd [lrange $argv 1 end]
set password [lindex $argv 0]
eval spawn $cmd
expect "password:"
send "$password\r";
interact

Put it to /usr/bin/exp, So you can use
shell> exp <password> sftp <anysrc> <anydst>}

In Ansible, you can use the module expect and delegate_to: host if host can be used as an Ansible client. In this case, instead of pulling the file from host by junos, host can push the file to junos. Fit the responses to your needs

- name: Copy config file on Junos
  expect:
    command: scp /file/location/file username@junos:destFile
    responses:
      (?i)username@junos's password: "MySekretPa$$word"
  delegate_to: host

^{Q: "I dont know why delegate_to: host was used."
A: host here is either ansible_host, or inventory_hostname. The question says: "from the Junos, sftp works fine"
root@:~ # sftp <username>@host:/file/location/file destFile
<username>@host's password:

The question also says: "The target machine (Junos) doesn't have python ... (in Ansible) can't handle the prompt for password". In this case, you can't run the module expect on junos. Instead, you have to push the file from host to junos, i.e to run the scp command on host
- name: Copy config file on Junos
expect:
command: scp /file/location/file username@junos:destFile
responses:
(?i)username@junos's password: "MySekretPa$$word"
delegate_to: host

This is the reason for delegate_to: host The questioner in his own answer writes: "Here's the working .yml below"
- hosts: 127.0.0.1
connection: local
gather_facts: no
tasks:
- name: Copy config file on Junos
expect:
command: scp srcFile <user>@junos:/dest/file/
responses:
(.*)Password: "<password>"
delegate_to: localhost

Here the delegate_to: localhost is redundant because the task is running on localhost anyway. But, it doesn't hurt either.}

But that's going to copy the file to the local host, rather than to the Junos device. — larsks, Apr 25 '19 at 11:35
You're right. I missed the correct direction. Probably scp and *delegate_to: host* would do the job. I've fixed my answer. Thank you. — Vladimir Botka, Apr 25 '19 at 13:57
Actually, that would've worked if the Junos had python in it. — SaifAhmed, Apr 25 '19 at 14:08
@SaifAhmed: "*scp*" does not depent on "*python*". "*python*" is not needed at Junos to "*scp destFile username@junos:/file/location/file*". Have you tried? — Vladimir Botka, Apr 25 '19 at 14:39
@VladimirBotka yes, that's true. But I didn't mean "scp"/"sftp", I referred to "expect" actually. — SaifAhmed, Apr 25 '19 at 15:10
@SaifAhmed: "*expect*" is delegated to "*host*". Have you tried? — Vladimir Botka, Apr 25 '19 at 15:13
I dont know why `delegate_to: host` was used. I was able to accomplish this without using that line. It downloaded the files from another host to the remote host that was being used in the playbook with no problems. Using `delegate_to: host` failed for me. — Dave, Mar 24 '23 at 01:01
@Dave, you're running the task on the host you want to if you don't need *delegate_to: host*. I added detailed explanation to the answer. I also fixed the confusing *src* and *dest* paths. — Vladimir Botka, Mar 24 '23 at 01:51

score 0 · Answer 2 · edited Mar 24 '23 at 01:42

0

Seems, there's no such example to handle password prompt with the raw module.

Thus, decided to do the whole thing differently like, using expect copy file from Ansible host to junos. Here's the working .yml below:

- hosts: 127.0.0.1
  connection: local
  gather_facts: no
  tasks:
    - name: Copy config file on Junos
      expect:
        command: scp srcFile <user>@junos:/dest/file/
        responses:
          (.*)Password: "<password>"
      delegate_to: localhost

edited Mar 24 '23 at 01:42

Vladimir Botka

58,131
4
32
63

answered Apr 26 '19 at 13:50

SaifAhmed

19
1
3

Here you don't need `delegate_to: localhost` because the play is running on the single host *localhost*. – Vladimir Botka Mar 24 '23 at 01:41

Ansible raw module - how to handle the password prompt on SFTP/SCP?

2 Answers2