wiki: add WSL OpenSSH default shell + Ansible world-writable mount articles

Two new troubleshooting articles from today's MajorRig/MajorMac Ansible setup: - Windows OpenSSH WSL default shell breaks remote SSH commands - Ansible silently ignores ansible.cfg on WSL2 world-writable mounts Article count: 76 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 10:23:02 -04:00
parent c66d3a6fd0
commit daa771760b
8 changed files with 188 additions and 11 deletions
--- a/05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md
+++ b/05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md
@@ -0,0 +1,89 @@
+---
+title: "Ansible Ignores ansible.cfg on WSL2 Windows Mounts"
+domain: troubleshooting
+category: ansible
+tags: [ansible, wsl, wsl2, windows, vault, configuration]
+status: published
+created: 2026-04-03
+updated: 2026-04-03
+---
+
+# Ansible Ignores ansible.cfg on WSL2 Windows Mounts
+
+## Problem
+
+Running Ansible from a repo on a Windows drive (`/mnt/c/`, `/mnt/d/`, etc.) in WSL2 silently ignores the local `ansible.cfg`. You'll see:
+
+```
+[WARNING]: Ansible is being run in a world writable directory
+(/mnt/d/MajorAnsible), ignoring it as an ansible.cfg source.
+```
+
+This causes vault decryption to fail (`Attempting to decrypt but no vault secrets found`), inventory to fall back to `/etc/ansible/hosts`, and `remote_user` to reset to defaults — even though `ansible.cfg` is right there in the project directory.
+
+## Cause
+
+WSL2 mounts Windows NTFS drives with broad permissions (typically `0777`). Ansible refuses to load `ansible.cfg` from any world-writable directory as a security measure — a malicious user on a shared system could inject a rogue config.
+
+This is hardcoded behavior in Ansible and cannot be overridden with a flag.
+
+## Solutions
+
+### Option 1: Environment Variables (Recommended)
+
+Export the settings that `ansible.cfg` would normally provide. Add to `~/.bashrc`:
+
+```bash
+export ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass
+```
+
+Other common settings you may need:
+
+```bash
+export ANSIBLE_REMOTE_USER=root
+export ANSIBLE_INVENTORY=/mnt/d/MajorAnsible/inventory/inventory.yml
+```
+
+### Option 2: Pass Flags Explicitly
+
+```bash
+ansible-playbook -i inventory/ playbook.yml --vault-password-file ~/.ansible/vault_pass
+```
+
+This works but is tedious for daily use.
+
+### Option 3: Clone to a Native Linux Path
+
+Clone the repo inside the WSL2 filesystem instead of on the Windows mount:
+
+```bash
+git clone https://git.example.com/repo.git ~/MajorAnsible
+```
+
+Native WSL2 paths (`/home/user/...`) have proper Linux permissions, so `ansible.cfg` loads normally. The tradeoff is that Windows tools can't easily access the repo.
+
+### Option 4: Fix Mount Permissions (Not Recommended)
+
+You can change WSL2 mount permissions via `/etc/wsl.conf`:
+
+```ini
+[automount]
+options = "metadata,umask=022"
+```
+
+This requires a `wsl --shutdown` and remount. It may break other Windows-Linux interop workflows and affects all mounted drives.
+
+## Diagnosis
+
+To confirm whether Ansible is loading your config:
+
+```bash
+ansible --version
+```
+
+Look for the `config file` line. If it shows `None` instead of your project's `ansible.cfg`, the config is being ignored.
+
+## Related
+
+- [Ansible: Vault Password File Not Found](ansible-vault-password-file-missing.md) — general vault password troubleshooting
+- [Ansible Docs: Avoiding Security Risks with ansible.cfg](https://docs.ansible.com/ansible/latest/reference_appendices/config.html#cfg-in-world-writable-dir)
--- a/05-troubleshooting/index.md
+++ b/05-troubleshooting/index.md
@@ -10,12 +10,14 @@ Practical fixes for common Linux, networking, and application problems.
 - [Mail Client Stops Receiving: Fail2ban IMAP Self-Ban](networking/fail2ban-imap-self-ban-mail-client.md)
 - [firewalld: Mail Ports Wiped After Reload](networking/firewalld-mail-ports-reset.md)
 - [Tailscale SSH: Unexpected Re-Authentication Prompt](networking/tailscale-ssh-reauth-prompt.md)
+- [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md)
 - [ISP SNI Filtering & Caddy](isp-sni-filtering-caddy.md)
 - [yt-dlp YouTube JS Challenge Fix](yt-dlp-fedora-js-challenge.md)

 ## ⚙️ Ansible & Fleet Management
 - [SSH Timeout During dnf upgrade on Fedora Hosts](ansible-ssh-timeout-dnf-upgrade.md)
 - [Vault Password File Missing](ansible-vault-password-file-missing.md)
+- [ansible.cfg Ignored on WSL2 Windows Mounts](ansible-wsl2-world-writable-mount-ignores-cfg.md)

 ## 📦 Docker & Systems
 - [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](docker-caddy-selinux-post-reboot-recovery.md)
--- a/05-troubleshooting/majwiki-setup-and-pipeline.md
+++ b/05-troubleshooting/majwiki-setup-and-pipeline.md
@@ -133,7 +133,7 @@ The Obsidian Git plugin was evaluated but dropped — too convoluted for a simpl

 ```bash
 cd ~/Documents/MajorVault
-git add 20-Projects/MajorTwin/08-Wiki/
+git add 30-Areas/MajorWiki/
 git commit -m "wiki: describe your changes"
 git push
 ```
--- a/05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md
+++ b/05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md
@@ -0,0 +1,69 @@
+---
+title: "Windows OpenSSH: WSL as Default Shell Breaks Remote Commands"
+domain: troubleshooting
+category: networking
+tags: [windows, openssh, wsl, ssh, majorrig, powershell]
+status: published
+created: 2026-04-03
+updated: 2026-04-03
+---
+
+# Windows OpenSSH: WSL as Default Shell Breaks Remote Commands
+
+## Problem
+
+SSH remote commands fail with:
+
+```
+Invalid command line argument: -c
+Please use 'wsl.exe --help' to get a list of supported arguments.
+```
+
+This happens on **every** remote command — `ssh-copy-id`, `ssh user@host "command"`, `scp`, etc. Interactive SSH (no command) may still work if it drops into WSL.
+
+## Cause
+
+Windows OpenSSH's default shell is set to `C:\Windows\System32\wsl.exe`. When SSH executes a remote command, it invokes:
+
+```
+<default_shell> -c "<command>"
+```
+
+But `wsl.exe` does not accept the `-c` flag. It expects `-e` for command execution, or no flags for an interactive session. Since OpenSSH hardcodes `-c`, every remote command fails.
+
+## Fix
+
+Change the default shell to PowerShell. Run this in an **elevated PowerShell** on the Windows host:
+
+```powershell
+New-ItemProperty -Path "HKLM:\SOFTWARE\OpenSSH" -Name DefaultShell -Value "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -PropertyType String -Force
+Restart-Service sshd
+```
+
+If you need to run this from within WSL (e.g., over an interactive SSH session):
+
+```bash
+powershell.exe -Command "Start-Process powershell -Verb RunAs -ArgumentList '-Command New-ItemProperty -Path HKLM:\\SOFTWARE\\OpenSSH -Name DefaultShell -Value C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -PropertyType String -Force; Restart-Service sshd'"
+```
+
+## After the Fix
+
+- Remote SSH commands now execute via PowerShell
+- To run Linux commands, prefix with `wsl`:
+  ```bash
+  ssh user@host "wsl bash -c 'cd /mnt/d/project && git pull'"
+  ```
+- Interactive SSH sessions land in PowerShell (use `wsl` to enter Linux)
+- `ssh-copy-id` still won't work for WSL's `authorized_keys` — Windows OpenSSH reads from `C:\Users\<user>\.ssh\authorized_keys`, not the WSL home directory
+
+## Key Notes
+
+- This registry key is the **only** supported way to change the OpenSSH default shell on Windows
+- The change persists across reboots and Windows Updates
+- If you previously set the default shell to `wsl.exe` to get a Linux-first SSH experience, be aware that it permanently breaks all remote command execution
+- Tools like Ansible, `scp`, `rsync`, and `ssh-copy-id` all depend on `-c` working
+
+## Related
+
+- [Windows OpenSSH Server (sshd) Stops After Reboot](windows-sshd-stops-after-reboot.md) — sshd service startup issues
+- [Microsoft Docs: OpenSSH DefaultShell](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-server-configuration#configuring-the-default-shell-for-openssh-in-windows)
--- a/MajorWiki-Deploy-Status.md
+++ b/MajorWiki-Deploy-Status.md
@@ -2,7 +2,7 @@
 title: MajorWiki Deployment Status
 status: deployed
 project: MajorTwin
-updated: '2026-03-12'
+updated: '2026-04-02'
 ---

 # MajorWiki Deployment Status
@@ -31,8 +31,8 @@ DNS record and Caddy entry have been removed.

 ## Content

- 42 articles across 5 domains
- Source of truth: `MajorVault/20-Projects/MajorTwin/08-Wiki/`
+- 74 articles across 5 domains
+- Source of truth: `MajorVault/30-Areas/MajorWiki/`
 - Deployed via Gitea webhook (push from MajorAir → auto-pull on majorlab)

 ## Update Workflow
@@ -40,7 +40,7 @@ DNS record and Caddy entry have been removed.
 ```bash
 # From MajorRig (majorlinux user)
 rsync -av --include="*.md" --include="*/" --exclude="*" \
-  /mnt/c/Users/majli/Documents/MajorVault/20-Projects/MajorTwin/08-Wiki/ \
+  /mnt/c/Users/majli/Documents/MajorVault/30-Areas/MajorWiki/ \
  root@majorlab:/opt/majwiki/docs/

 # MkDocs hot-reloads automatically — no container restart needed
@@ -71,7 +71,7 @@ Obsidian Git plugin was evaluated and dropped — too convoluted. Manual git fro

 ```bash
 cd ~/Documents/MajorVault
-git add 20-Projects/MajorTwin/08-Wiki/
+git add 30-Areas/MajorWiki/
 git commit -m "wiki: describe your changes"
 git push
 ```
@@ -145,3 +145,14 @@ Every time a new article is added, the following **MUST** be updated to maintain
 - `02-selfhosting/monitoring/netdata-new-server-setup.md` — full Netdata deployment guide: install via kickstart.sh, email notification config, Netdata Cloud claim

 **Updated:** `updated: 2026-03-18`
+
+## Session Update — 2026-04-02
+
+**Article count:** 74 (was 49)
+
+**New article this session:**
+- `02-selfhosting/security/fail2ban-wordpress-login-jail.md` — Fail2ban custom jail for WordPress login brute force (access-log-based, no plugin required)
+
+**Also today:** Major wiki audit added 8 articles from archive, fixed 67 wikilinks, added frontmatter to 43 files, moved wiki from `20-Projects/MajorTwin/08-Wiki/` to `30-Areas/MajorWiki/`. See daily note for full details.
+
+**Updated:** `updated: 2026-04-02`
--- a/README.md
+++ b/README.md
@@ -2,8 +2,8 @@

 > A growing reference of Linux, self-hosting, open source, streaming, and troubleshooting guides. Written by MajorLinux. Used by MajorTwin.
 >
-**Last updated:** 2026-04-02
-**Article count:** 74
+**Last updated:** 2026-04-03
+**Article count:** 76

 ## Domains

--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -68,10 +68,12 @@
    * [SELinux: Fixing Dovecot Mail Spool Context (/var/vmail)](05-troubleshooting/selinux-dovecot-vmail-context.md)
    * [mdadm RAID Recovery After USB Hub Disconnect](05-troubleshooting/storage/mdadm-usb-hub-disconnect-recovery.md)
    * [Windows OpenSSH Server (sshd) Stops After Reboot](05-troubleshooting/networking/windows-sshd-stops-after-reboot.md)
+    * [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md)
    * [Ollama Drops Off Tailscale When Mac Sleeps](05-troubleshooting/ollama-macos-sleep-tailscale-disconnect.md)
    * [macOS: Repeating Alert Tone from Mirrored iPhone Notification](05-troubleshooting/macos-mirrored-notification-alert-loop.md)
    * [ClamAV CPU Spike: Safe Scheduling with nice/ionice](05-troubleshooting/security/clamscan-cpu-spike-nice-ionice.md)
    * [Ansible: Vault Password File Not Found](05-troubleshooting/ansible-vault-password-file-missing.md)
+    * [Ansible: ansible.cfg Ignored on WSL2 Windows Mounts](05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md)
    * [Ansible: SSH Timeout During dnf upgrade on Fedora Hosts](05-troubleshooting/ansible-ssh-timeout-dnf-upgrade.md)
    * [Fedora Networking & Kernel Troubleshooting](05-troubleshooting/fedora-networking-kernel-recovery.md)
    * [Systemd Session Scope Fails at Login](05-troubleshooting/systemd/session-scope-failure-at-login.md)
--- a/index.md
+++ b/index.md
@@ -2,8 +2,8 @@

 > A growing reference of Linux, self-hosting, open source, streaming, and troubleshooting guides. Written by MajorLinux. Used by MajorTwin.
 >
-> **Last updated:** 2026-04-02
-> **Article count:** 74
+> **Last updated:** 2026-04-03
+> **Article count:** 76

 ## Domains

@@ -13,7 +13,7 @@
 | 🏠 Self-Hosting & Homelab | `02-selfhosting/` | 21 |
 | 🔓 Open Source Tools | `03-opensource/` | 10 |
 | 🎙️ Streaming & Podcasting | `04-streaming/` | 2 |
-| 🔧 General Troubleshooting | `05-troubleshooting/` | 26 |
+| 🔧 General Troubleshooting | `05-troubleshooting/` | 28 |


 ---
@@ -142,8 +142,10 @@
 - [SELinux: Fixing Dovecot Mail Spool Context (/var/vmail)](05-troubleshooting/selinux-dovecot-vmail-context.md) — fixing thousands of AVC denials when /var/vmail has wrong SELinux context
 - [mdadm RAID Recovery After USB Hub Disconnect](05-troubleshooting/storage/mdadm-usb-hub-disconnect-recovery.md) — diagnosing and recovering a failed mdadm array caused by a USB hub dropout
 - [Windows OpenSSH Server (sshd) Stops After Reboot](05-troubleshooting/networking/windows-sshd-stops-after-reboot.md) — fixing sshd not running after reboot due to Manual startup type
+- [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) — fixing remote SSH command failures when wsl.exe is the default shell
 - [Ollama Drops Off Tailscale When Mac Sleeps](05-troubleshooting/ollama-macos-sleep-tailscale-disconnect.md) — keeping Ollama reachable over Tailscale by disabling macOS sleep on AC power
 - [Ansible: Vault Password File Not Found](05-troubleshooting/ansible-vault-password-file-missing.md) — fixing the missing vault_pass file error when running ansible-playbook
+- [Ansible: ansible.cfg Ignored on WSL2 Windows Mounts](05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md) — fixing silent config ignore due to world-writable /mnt/d/ permissions
 - [Ansible SSH Timeout During dnf upgrade](05-troubleshooting/ansible-ssh-timeout-dnf-upgrade.md) — preventing SSH timeouts during long-running dnf upgrades on Fedora
 - [Fedora Networking & Kernel Troubleshooting](05-troubleshooting/fedora-networking-kernel-recovery.md) — nmcli quick fix, GRUB kernel rollback, and recovery for Fedora fleet
 - [Custom Fail2ban Jail: Apache Directory Scanning](05-troubleshooting/security/apache-dirscan-fail2ban-jail.md) — blocking directory scanners and junk HTTP methods
@@ -157,6 +159,8 @@

 | Date | Article | Domain |
 |---|---|---|
+| 2026-04-03 | [Windows OpenSSH: WSL Default Shell Breaks Remote Commands](05-troubleshooting/networking/windows-openssh-wsl-default-shell-breaks-remote-commands.md) | Troubleshooting |
+| 2026-04-03 | [Ansible: ansible.cfg Ignored on WSL2 Windows Mounts](05-troubleshooting/ansible-wsl2-world-writable-mount-ignores-cfg.md) | Troubleshooting |
 | 2026-04-02 | [Fail2ban Custom Jail: WordPress Login Brute Force](02-selfhosting/security/fail2ban-wordpress-login-jail.md) | Self-Hosting |
 | 2026-04-02 | [Mastodon Instance Tuning](02-selfhosting/services/mastodon-instance-tuning.md) | Self-Hosting |
 | 2026-04-02 | [mdadm — Rebuilding a RAID Array After Reinstall](01-linux/storage/mdadm-raid-rebuild.md) | Linux |