[GH-ISSUE #551] [!] Unknown error (Couldn't read the fingerprint of /tmp/HTSyoTS523 (Couldn't exec requested command (Insecure directory in $ENV{PATH} while running with -T switch at... #141

New issue

Open

opened 2026-05-07 00:19:21 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented 2026-05-07 00:19:21 +02:00

Owner

Copy link

Originally created by @juju4 on GitHub (Apr 13, 2025).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/551

While running bastion install inside ansible, I get this error but at different part of the install

• on github runner, at /opt/bastion/bin/admin/install --managed-upgrade on healtcheck account creation
  https://github.com/juju4/ansible_the_bastion/actions/runs/14423697204/job/40449434291#step:8:1808

"cmd": "/opt/bastion/bin/admin/install --managed-upgrade\n",
[...]
        "*** Creating the healthcheck account",
        "\u001b[1;34m---fv-az1319-65-------------------------------------------the-bastion-3.13.01---",
        "\u001b[0m\u001b[34m=> create a new bastion account",
        "\u001b[0m\u001b[34m--------------------------------------------------------------------------------",
        "\u001b[0m\u001b[34m~ \u001b[0mPlease paste the SSH key you want to add. This bastion supports the following algorithms:",
        "\u001b[34m~ \u001b[0mED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one",
        "\u001b[34m~ \u001b[0mECDSA  : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one",
        "\u001b[34m~ \u001b[0mRSA    : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one",
        "\u001b[34m~ \u001b[0m",
        "\u001b[34m~ \u001b[0mIn any case, don't save it without a passphrase (your paste won't be echoed).",
        "",
        "\u001b[31;1m~ \u001b[0m",
        "\u001b[31;1m~ [!] Unknown error (Couldn't read the fingerprint of /tmp/HTSyoTS523 (Couldn't exec requested command (Insecure directory in $ENV{PATH} while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 176.))), please report to your sysadmin.\u001b[0m",
        "\u001b[1;34m-------------------------------------------------------------</accountCreate>---",
        "\u001b[0m",
        "`-> [\u001b[31mERR.\u001b[0m] Couldn't create the healthcheck account",
        "",
        "*** Ensuring bastionsync and healthcheck are in bastion-nopam group",
        "usermod: user 'healthcheck' does not exist",
        "",
        "`-> [\u001b[31mERR.\u001b[0m] ",
        "",

likely from https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/ssh.inc#L344
from ansible setup
https://github.com/juju4/ansible_the_bastion/actions/runs/14423697204/job/40449434291#step:11:700

            "PATH": "/opt/hostedtoolcache/Python/3.13.2/x64/bin:/opt/hostedtoolcache/Python/3.13.2/x64:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",

Here I was thinking to enforce PATH like done here https://github.com/ovh/the-bastion/blob/master/bin/proxy/osh-http-proxy-worker#L29
imho, no reason or nearly to have custom path for system account creation and can't clean github runner environment.
I tried adding it in my ansible play but that didn't help

• on github runner inside docker, at initial admin account creation
  https://github.com/juju4/ansible_the_bastion/actions/runs/14423697213/job/40449434297#step:7:368

"cmd": "/opt/bastion/bin/admin/setup-first-admin-account.sh admin auto\n"
[...]
[!] Unknown error (Couldn't read the fingerprint of /tmp/2p_95IqsOL (Command exited with status 255)), please report to your sysadmin.

manual run in lxc container gives me a different error and with a paste of ssh pub key needed

~ Creating group admin with GID 99998...
~ Creating user admin with UID 99998...
useradd warning: admin's uid 99998 outside of the UID_MIN 1000 and UID_MAX 60000 range.
useradd: warning: chown on `/home/admin' failed: Invalid argument
~ Creating tty group of account...
~ Adding account to potential supplementary groups...
~ Creating needed files and directories with proper permissions in home...

~ 
~ [!] Couldn't chown ttyrec directory (Invalid argument)

Tested with v3.13.01 and v3.20.00

Originally created by @juju4 on GitHub (Apr 13, 2025). Original GitHub issue: https://github.com/ovh/the-bastion/issues/551 While running bastion install inside ansible, I get this error but at different part of the install * on github runner, at `/opt/bastion/bin/admin/install --managed-upgrade` on healtcheck account creation https://github.com/juju4/ansible_the_bastion/actions/runs/14423697204/job/40449434291#step:8:1808 ``` "cmd": "/opt/bastion/bin/admin/install --managed-upgrade\n", [...] "*** Creating the healthcheck account", "\u001b[1;34m---fv-az1319-65-------------------------------------------the-bastion-3.13.01---", "\u001b[0m\u001b[34m=> create a new bastion account", "\u001b[0m\u001b[34m--------------------------------------------------------------------------------", "\u001b[0m\u001b[34m~ \u001b[0mPlease paste the SSH key you want to add. This bastion supports the following algorithms:", "\u001b[34m~ \u001b[0mED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one", "\u001b[34m~ \u001b[0mECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one", "\u001b[34m~ \u001b[0mRSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one", "\u001b[34m~ \u001b[0m", "\u001b[34m~ \u001b[0mIn any case, don't save it without a passphrase (your paste won't be echoed).", "", "\u001b[31;1m~ \u001b[0m", "\u001b[31;1m~ [!] Unknown error (Couldn't read the fingerprint of /tmp/HTSyoTS523 (Couldn't exec requested command (Insecure directory in $ENV{PATH} while running with -T switch at /usr/lib/x86_64-linux-gnu/perl-base/IPC/Open3.pm line 176.))), please report to your sysadmin.\u001b[0m", "\u001b[1;34m-------------------------------------------------------------</accountCreate>---", "\u001b[0m", "`-> [\u001b[31mERR.\u001b[0m] Couldn't create the healthcheck account", "", "*** Ensuring bastionsync and healthcheck are in bastion-nopam group", "usermod: user 'healthcheck' does not exist", "", "`-> [\u001b[31mERR.\u001b[0m] ", "", ``` likely from https://github.com/ovh/the-bastion/blob/master/lib/perl/OVH/Bastion/ssh.inc#L344 from ansible setup https://github.com/juju4/ansible_the_bastion/actions/runs/14423697204/job/40449434291#step:11:700 ``` "PATH": "/opt/hostedtoolcache/Python/3.13.2/x64/bin:/opt/hostedtoolcache/Python/3.13.2/x64:/snap/bin:/home/runner/.local/bin:/opt/pipx_bin:/home/runner/.cargo/bin:/home/runner/.config/composer/vendor/bin:/usr/local/.ghcup/bin:/home/runner/.dotnet/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin", ``` Here I was thinking to enforce PATH like done here https://github.com/ovh/the-bastion/blob/master/bin/proxy/osh-http-proxy-worker#L29 imho, no reason or nearly to have custom path for system account creation and can't clean github runner environment. I tried adding it in my ansible play but that didn't help * on github runner inside docker, at initial admin account creation https://github.com/juju4/ansible_the_bastion/actions/runs/14423697213/job/40449434297#step:7:368 ``` "cmd": "/opt/bastion/bin/admin/setup-first-admin-account.sh admin auto\n" [...] [!] Unknown error (Couldn't read the fingerprint of /tmp/2p_95IqsOL (Command exited with status 255)), please report to your sysadmin. ``` manual run in lxc container gives me a different error and with a paste of ssh pub key needed ``` ~ Creating group admin with GID 99998... ~ Creating user admin with UID 99998... useradd warning: admin's uid 99998 outside of the UID_MIN 1000 and UID_MAX 60000 range. useradd: warning: chown on `/home/admin' failed: Invalid argument ~ Creating tty group of account... ~ Adding account to potential supplementary groups... ~ Creating needed files and directories with proper permissions in home... ~ ~ [!] Couldn't chown ttyrec directory (Invalid argument) ``` Tested with v3.13.01 and v3.20.00

BreizhHardware referenced this issue 2026-05-07 00:20:06 +02:00

[PR #141] [MERGED] Group generate egress key (#135) #272

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

expifix

groupcreate_fix_uid

fix_group_gid_fast

gh-pages

clush

expiration

jsonvalidator

v3.23.01

v3.23.00

v3.22.00

v3.21.00

v3.20.00

v3.19.01

v3.19.00

v3.18.99-rc1

v3.18.00

v3.17.01

v3.17.00

v3.16.99-rc3

v3.16.99-rc2

v3.16.99-rc1

v3.16.01

v3.16.00

v3.15.00

v3.14.16

v3.14.15

v3.14.00

v3.13.01

v3.13.00

v3.12.00

v3.11.02

v3.11.01

v3.11.00

v3.10.00

v3.09.02

v3.09.00-really

v3.09.00

v3.09.00-rc3

v3.09.00-rc2

v3.09.00-rc1

v3.08.01

v3.08.00

v3.07.00

v3.06.00

v3.05.01

v3.05.00

v3.04.00

v3.03.99-rc2

v3.03.99-rc1

v3.03.01

v3.03.00

v3.02.00

v3.01.99-rc4

v3.01.99-rc3

v3.01.99-rc2

v3.01.99-rc1

v3.01.03

v3.01.02

v3.01.01

v3.01.00

v3.00.02

v3.00.01

v3.00.00

Labels

Clear labels   

answered

  

bug

  

documentation

  

enhancement

  

enhancement

  

feature

  

feature

  

kept-open-for-info

  

pull-request

Mirrored from GitHub Pull Request

  

question

No labels

answered

bug

documentation

enhancement

enhancement

feature

feature

kept-open-for-info

pull-request

question

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/the-bastion#141

No description provided.