Ansible automation on AIX with permitrootlogin no
64 views
Skip to first unread message
ks Iam
Nov 8, 2019, 5:20:20 AM11/8/19
to Ansible Project
I'm working with my vendor to setup the Ansible to harden my AIX servers. I was informed that Ansible required to login as root via SSH to perform the task, which means the sshd_config has to enable permitrootlogin, despite setting "permitrootlogin no" is 1 item in the hardening checklist. The vendor proposed solution is to either set the root without password and authenticate via public/private key, or to install sudo rpm into the box (AIX doesn't come with sudo by default). They don't recommend the latter method due to IBM is not going to support it as well as vulnerability that possible to be found on it. I'm not an AIX expert and thus would like to know whether the claims are true.
Thinking to keep the hardening checklist intact, I'm exploring other alternative and found the "become" from Ansible Doc here. Can this be the solution to retain the "permitrootlogin no" on the server? Or else how is everyone handle this?
Thanks!
Sam Doran
Nov 12, 2019, 10:54:08 AM11/12/19
to ansible...@googlegroups.com
Ansible does not need to log in as root. Most environments log in as a user account that has full sudo privileges.
I would argue that installing sudo is less of a risk than allowing direct root login via ssh, but I have never administered an AIX environment.
You could reach out to the AIX working group and see if they are able to offer any guidance.
---
Sam
ks Iam
Nov 13, 2019, 3:30:13 AM11/13/19
to Ansible Project
Apparently installing sudo is less of a risk but we also put support into consideration, since sudo for AIX considered open source software and will not be officially supported by IBM, which required by my organization.
Went through one of the article sourced from AIX working group, the become plugin was recommended, which is a tool leverage on privilege escalation command (sudo | su | pbrun | pfexec | doas | dzdo | ksu | runas | machinectl).
So now it leave us with 2 options:
1. as our vendor proposed, to enable root login through SSH with no password, and authenticate with keys;
2. To rely on Ansible become plugin with become method su (since sudo is not an option).
With that I would like to seek advice on which will be the better in terms of security. Not sure whether this becomes an opinion based question and a bit out of topic though, but I appreciate any input.
Thanks!
Kai Stian Olstad
Nov 13, 2019, 9:10:57 AM11/13/19
to ansible...@googlegroups.com
On Wed, Nov 13, 2019 at 12:30:13AM -0800, ks Iam wrote:
> So now it leave us with 2 options:
> 1. as our vendor proposed, to enable root login through SSH with no
> password, and authenticate with keys;
> 2. To rely on Ansible become plugin with become method su (since sudo is
> not an option).
>
> With that I would like to seek advice on which will be the better in terms
> of security. Not sure whether this becomes an opinion based question and a
> bit out of topic though, but I appreciate any input.
If you login as root, every task is run as root, but if you use su you can
> So now it leave us with 2 options:
> 1. as our vendor proposed, to enable root login through SSH with no
> password, and authenticate with keys;
> 2. To rely on Ansible become plugin with become method su (since sudo is
> not an option).
>
> With that I would like to seek advice on which will be the better in terms
> of security. Not sure whether this becomes an opinion based question and a
> bit out of topic though, but I appreciate any input.
choose which task(s) to run as root.
And choosing su will preserve your which in you first post
"keep the hardening checklist intact".
--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages