Best way to manage hosts with Ansible (secutiry)

[Vamberto Junior]

Hellow everybody

I am a new user in Ansible's World so in my studies, I have some doubts about the best way to manage hosts with Ansible.

My question is... What is the best securty way to manage hosts with Ansible ?

Some docs tell to use ssh without pass from the server Ansible to host and use sudo without pass too (ansible ALL=NOPASSWD: ALL)

So in your opinion what is the best way ? 

[Uditha Desilva]

Looks like you've got 2 different questions there, 1) what's most secure way, and 2) what's the "best" way.

NOPASSWD:ALL is certainly the most convenient way, but it probably isn't the most secure. (You would need to ensure that the SSH private key is well secured, and probably only allowed to be used from a hardened bastion host (look at "man ssh_config" and the "from=" parameter -- possibly also using a "command=" wrapper to check that arbitrary commands (as opposed to sftp and ansible-driven python and sudo invocations) are not accepted).

If you don't want to do that, you can have Ansible prompt for the su or sudo password (check out the --ask-pass and --ask-become options). That is a little more secure, although it's quite a lot more "hassle", unless you have a dynamic inventory source that can set the required ansible_ssh_user/ansible_ssh_pass/ansible_become_method/ansible_become_pass connection variables acquired from some "other source".

[Vamberto Junior]

Thanks for your help Uditha Desilva

 :)

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WBoOnat-LFk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a7e5bfbc-42c7-40eb-b2bb-c4efaabc2160%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Att

Vamberto Rocha JR

[Johannes Kastl]

Am 23.03.16 schrieb Vamberto Junior:

> So in your opinion what is the best way ?

I am by far not an expert on ansible security. But after reading lots
and lots of docs I went for the following:

- Use SSH keys with passphrase
- Store passphrase in ssh-agent if needed, and delete them afterwards
- Do *not* allow the ansible_user passwordless sudo
- Provide the sudo password (ansible_become_pass) in a host_vars file
(host_vars/xyz for host xyz)
- Encrypt that host_vars file with ansible vault
- Store the ansible-vault passphase in a file on my machine

I also do not use the same username on each host, but also store that
in the host_vars file.
I also do not use the same ssh port on each machine, you guess it:
stored in a host_vars file (although this is security by obscurity, it
keeps the logs clean, i.e. script kiddies do not fill the logs with
stupid attempts)

Just my 2 cents, YMMV.

Johannes

[Vamberto Junior]

Thanks Johannes Kastl for the help :)

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/WBoOnat-LFk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/56F83221.30904%40ojkastl.de.

For more options, visit https://groups.google.com/d/optout.