Is it possible to use ansible without root password ?

[Lomic Legone]

Hi all, I'm a newbee on ansible and I follow online tutos.

I installed 2 ubuntu VM (named ubunt1 and ubunt2), one as node manager (ubuntu1) and the second one as simple node (ubuntu2). The ssh connection is tested and ok.

When I installed ubuntu, I've never been asked for a root password, but only for the name/password for a simple user. But this user belongs to sudoers group so it can make admin tasks. So all is ok.

The pb is that as I try to execute root tasks from ubuntu1 to ubuntu2 with ansible, even if ubuntu2 user belongs to sudoers groups, ansible fails. And if I use the "-become" option, ansible asks me the ubuntu2 root password that I don't know of course.

In fact I feel that the fact that ubuntu2 user has sudo privilege is useless.

So how to do ?

Thanks for your responses.

[Dick Visser]

Hii

On Fri, 7 May 2021 at 11:40, Lomic Legone <lomic....@gmail.com> wrote:
>
> Hi all, I'm a newbee on ansible and I follow online tutos.
>
> I installed 2 ubuntu VM (named ubunt1 and ubunt2), one as node manager (ubuntu1) and the second one as simple node (ubuntu2). The ssh connection is tested and ok.
>
> When I installed ubuntu, I've never been asked for a root password, but only for the name/password for a simple user. But this user belongs to sudoers group so it can make admin tasks. So all is ok.

That is one thing. Depending on your config, you might also have to
provide the password to use sudo.

> The pb is that as I try to execute root tasks from ubuntu1 to ubuntu2 with ansible,

What are "root tasks"? Is this different from tasks that require sudo?

> even if ubuntu2 user belongs to sudoers groups, ansible fails. And if I use the "-become" option, ansible asks me the ubuntu2 root password that I don't know of course.

See above, this might be required on your config. Check the NOPASSWD
option in your sudoers configuration.

I assume the same username is used on both machines.

>
> In fact I feel that the fact that ubuntu2 user has sudo privilege is useless.
>
> So how to do ?
>
> Thanks for your responses.
>

> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bcf355f1-73a0-4228-ab02-75105617672bn%40googlegroups.com.



--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT

[Stuart Lowe]

When you install ubuntu it will create a user in the sudoers group for you.

If you are using that user to ssh in then elevating to root with sudo you enter the password for that user.

 

Same with ansible, if you are using the user you created you’d use that users password to authenticate with become.

 

You can also set up ssh keys so you can ssh without a password and set up passwordless sudo for your ansible user.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/bcf355f1-73a0-4228-ab02-75105617672bn%40googlegroups.com.

--
Stuart Lowe
Cloud and Hosting Support Engineer
Zen Internet
Team: 01706 902009
Web: zen.co.uk

Proud to be a certified B Corporation

This message is private and confidential. If you have received this message in error, please notify us and remove it from your system.

Zen Internet Limited may monitor email traffic data to manage billing, to handle customer enquiries and for the prevention and detection of fraud. We may also monitor the content of emails sent to and/or from Zen Internet Limited for the purposes of security, staff training and to monitor quality of service.

Zen Internet Limited is registered in England and Wales, Sandbrook Park, Sandbrook Way, Rochdale, OL11 1RY Company No. 03101568 VAT Reg No. 686 0495 01

[Ravi Kumar Chintalapudi]

Hello,

Yes, its possible to use ansible without root password.

There are two ways you can do this.

1. Create an user and add that user to sudo group. Let's say username is anisble. These commands should be run as root in the ubuntu2 machine.

useradd ansible

usermod -aG sudo ansible

visudo

Once the visudo opens, replace this line 

%sudo   ALL=(ALL:ALL) ALL  with the line %sudo   ALL=(ALL:ALL) NOPASSWD:ALL

so that the user ansible will not be prompted for password when becoming a sudo user.

2. The same can be done with the ubuntu user as well. 

Let me know if there is any ambiguity.

-Ravi Kumar

[Lomic Legone]

Below are some details and commands I wrote.

Before this, I

• had to create a "mala" user on ubuntu2 (the node) with sudo privilege (during the ubuntu installation)
• created a public/private kay pair on ubuntu1 (the node manager) and I copied the public key on ubunt2 with ssh-copy-id command; it works well since I succeded in making "ssh mala@ubuntu2" from ubuntu1

I never knew root password on ubuntu2 (smae thing on ubuntu1).

In next commands, I tried to create a "ansible-user" on ubuntu2, I know it's useless since mala on ubnutu2 already exists, but I'm just following a tuto with a remote user creation. The action is not important, this is the failure wich I don't understand.

grag@ubuntu1:~/ansible$ ansible localhost -i grt.inv -m debug -a "msg={{ 'passforce' | password_hash('sha512', 'secretsalt') }}"
localhost | SUCCESS => {
    "msg": "$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1"
}
grag@ubuntu1:~/ansible$ ansible -i grt.inv -m user -a 'name=user-ansible password=$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1' --user root --ask-pass all
SSH password:
ubuntu2 | FAILED! => {
    "msg": "to use the 'ssh' connection type with passwords, you must install the sshpass program"
}
grag@ubuntu1:~/ansible$ ansible -i grt.inv -m user -a 'name=user-ansible password=$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1' --user mala --ask-pass all
SSH password:
ubuntu2 | FAILED! => {
    "msg": "to use the 'ssh' connection type with passwords, you must install the sshpass program"
}

grag@ubuntu1:~/ansible$ more grt.inv
ubuntu2
grag@ubuntu1:~/ansible$

Note  that for ssh password, I typed mala password on ubunt2.

[Dick Visser]

On Sun, 9 May 2021 at 19:35, Lomic Legone <lomic....@gmail.com> wrote:
>
> Below are some details and commands I wrote.
>
> Before this, I
>
> had to create a "mala" user on ubuntu2 (the node) with sudo privilege (during the ubuntu installation)
> created a public/private kay pair on ubuntu1 (the node manager) and I copied the public key on ubunt2 with ssh-copy-id command; it works well since I succeded in making "ssh mala@ubuntu2" from ubuntu1
>
>
> I never knew root password on ubuntu2 (smae thing on ubuntu1).
>
> In next commands, I tried to create a "ansible-user" on ubuntu2, I know it's useless since mala on ubnutu2 already exists, but I'm just following a tuto with a remote user creation. The action is not important, this is the failure wich I don't understand.

You're using having problem with ansible and the privilege escalation,
and you're using a "tuto" that uses ansible to create
users/account/passwords/etc.
To me that sounds like adding more complexity to the mix rather than
reducing it.

Try to *manually* make sure the hosts meet the requirements and get
ansible to work.

>
> grag@ubuntu1:~/ansible$ ansible localhost -i grt.inv -m debug -a "msg={{ 'passforce' | password_hash('sha512', 'secretsalt') }}"
> localhost | SUCCESS => {
> "msg": "$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1"
> }
> grag@ubuntu1:~/ansible$ ansible -i grt.inv -m user -a 'name=user-ansible password=$6$secretsalt$X5YDmUgDphPxnMkByvHbNaiP4T5Uk0WjEZ9TukWKQnXmXN81jG3DcGZnNJiSz9ltgPhplH92HOR/RqgmyS.zN1' --user root --ask-pass all
> SSH password:
> ubuntu2 | FAILED! => {
> "msg": "to use the 'ssh' connection type with passwords, you must install the sshpass program"
> }

You're setting a root password which is not needed. So this error is
also irrelevant.

> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/06140c20-ebdd-4c3a-812e-db7af5805ecen%40googlegroups.com.

[Lomic Legone]

Thanks Ravi, you precisely do what a tuto did.

In fact, instead of manually adding the "%sudo   ALL=(ALL:ALL) NOPASSWD:ALL" line in /etc/sudoers of node machine, the tuto says to add this line with ansible, and the command is (I created a new ubuntu VM as a simple node (ubuntu3 with simon user, I used ssh-copy-id to copy my public key from ubuntu1 to ubuntu3)) :

grag@ubuntu1:~/ansible$ ansible -i grt.inv -m lineinfile -a "path=/etc/sudoers line='simon ALL=(ALL:ALL) NOPASSWD: ALL'" --become-method=su --become --ask-become-pass ubuntu3
BECOME password:
ubuntu3 | FAILED! => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python3"
    },
    "changed": false,
    "module_stderr": "Shared connection to ubuntu3 closed.\r\n",
    "module_stdout": "\r\nsu: Échec d'authentification\r\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}
grag@ubuntu1:~/ansible$

FYI "Échec d'authentification" means "authentication failure"

What surprised me is that since I typed simon's password, and since simon is allowed to modified locally the /etc/sudoers file, why isn't he allowed to do the same thing from ansible ... ?

[Lomic Legone]

I eventually managed to contact the tuto's author who gave the response :

Just replace

--become-method=su

by

--become-method=sudo