Password declaration in Clear text when using Kerberos ?

[Neeraj Shah]

Hi All,  

As per official docs, using ansible to manage windows hosts requires us to specify the password in plain text for ansible_winrm_transport variable in the hosts file or the group_vars file. My question or confusion is doesn't security take a beating here ?  In most cases we end up putting domain admin or local admin credentials here so how is this protected if the ansible linux host gets compromised ?  How is this supposed to be secured  ?

The following example shows host vars configured for Kerberos authentication:

ansible_user: user...@MY.DOMAIN.COM
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: kerberos

[Mark Janssen]

Either prompt for it from the commandline, or use a password-lookup like passwordstore or vault or somehing like that.

--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-devel/4f417353-7cb4-4fbd-867e-50bc3ac29252%40googlegroups.com.

--

Mark Janssen  --  ma...@sig-io.nl
Unix / Linux Open-Source and Internet Consultant

[Tony Chia]

You can use ansible vault to encrypt the username and / password or any other sensitive information and place the encrypted value in the playbook/group_vars file so you can check into version control

Then during runtime if you have the correct vault key it will decrypt it on the fly

If you really want to be secure but to annoy your workers , you can encrypt the entire playbook/group_vars file

Tony Chia

[Neeraj Shah]

Thank you Tony and Mark.