On Wed, Jan 15, 2014 at 11:00:34AM -0500, Michael DeHaan wrote:
> "Ok, but as I wrote several times, if ansible asks for the password, then
> it asks before checking sudo. So removing/adding "sudo -k" does not
> change this."
>
> Yes, because you are going to need to supply the password, it asks before
> sudo asks, and then feeds this in to sudo.
But then the visible interface does not change. If people run ansible
with ask_sudo_pass, ansible will ask for the password before it
proceeds. So there is nothing to worry whether or not "sudo -k" is run.
> "Do they even use sudo password? "
>
> Yes, plenty of people do. It's an important feature to be able to support.
I think the feature us useful, too, but I wonder why there is no bug
report that ansible hangs when a sudo password is required and none
provided. E.g. the following code is missing (it depends on my previous
commit):
https://github.com/tyll/ansible/commit/64211947d12bf0a5a3cc3f642b2e2fbf98434bce
> "Did you look at the commit? There is not much code involved here"
>
> It's a little large for me. Also I really don't want to remove -k.
Most of the changes just pass the sudo_ask_pass_callback from the tools
to the connection plugin. And at the place where the connection plugin
calls the callback, it need to raise an error anyhow (see the commit
mentioned previously).
> It is very very rare for someone to want to log in via normal SSH as a
> means of priming Ansible for being able to manage those systems, so I think
> this is really a niche kind of thing that we shouldn't concentrate on.
sudo supports this and probably for a reason. Therefore IMHO it is
better if ansible just lets admins configure sudo via sudoers instead of
hardcoding defaults in ansible that manipulate sudo defaults. E.g.
instead of running "sudo -k" in ansible one can just set the
timestamp_timeout to "0" to make sudo ask for a password every time. I
for example did not expect ansible to just ignore my sudo config.
Therefore it is not just about being able to priming ansible but also
about being flexible. For example this would be required to use ansible
with sudo and non-static passwords, e.g. using a yubikey for
authentication.
To address your concerns, maybe this commit helps:
https://github.com/tyll/ansible/commit/0bcf35c499141be5f2eac9f881c65795ff10620f
Here "sudo -k" is only run when a sudo password is provided to ensure
that it is always verified when it is provided.