Ansible doesn't appear to cache sudo auth for each task in a playbook... is this correct?

[Bowen Denning]

Hey all,

I'm hoping to use Ansible playbooks to automate a few tasks on my home network. My problem is that I use 2FA for authentication on all of my servers (using Yubikey). I'm quite happy to use key-based authentication for logging on to the servers, but I'd like to still require a one-time-password (OTP) to be entered for running privileged commands with sudo.

If I'm running commands with sudo on a server from the shell, sudo only prompts me the first time for a password / OTP value, after that it will be cached and I won't need to enter it for subsequent commands. Ansible playbooks, from what I can see, are attempting to use the sudo password for every task, which won't work because the OTP value can only be used once (by design).

---                                                                                                                                           

- name: testing                                                                                                                               

  hosts: test.example.net                                                                                                      

  sudo: yes                                                                                                                                   

  gather_facts: false                                                                                                                         

                                                                                                                                              

  tasks:                                                                                                                                      

    - name: tail /var/log/messages                                                                                                            

      action: command tail -n 5 /var/log/messages                                                                                             

                                                                                                                                              

    - name: tail /var/log/secure                                                                                                              

      action: command tail -n 5 /var/log/secure

In the above example, the first task would run using the provided sudo password (a value generated by pressing my Yubikey hardware token), however, any subsequent tasks will fail as the OTP value can only be used once.

If there's no way to make Ansible cache sudo access, then I'm guessing I'll have to use password-less sudo access for various tasks that I want to run in my playbooks? I'm definitely open to suggestions from others that might be using Ansible to manage systems requiring 2FA.

-

Bowen

[Bowen Denning]

Looks like this problem has been previously discussed here: https://github.com/ansible/ansible/issues/3969

The conclusion back in August 2013 was that there's no support, and no plans to support, 2FA.

-

Bowen

[Michael DeHaan]

To be clear, this was 8 months ago.

We'd be up for considering it -- but not likely implementing it as a free feature request.

--Michael

--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael DeHaan]

(Translation -- patches would be considered, etc)

[Bowen Denning]

For anyone who stumbles across this thread in the future, and has the know how to address the problem, it looks like sudo is explicitly told not to cache credentials in the make_sudo_cmd under lib/utils/__init__.py  (it appends "sudo -k" which causes sudo's cache to be flushed for every task).

I can't see why using the cache would be a security concern, so I suspect flushing the cache is there to make things easier programatically (sudo is always guaranteed to ask for password) but that's just a guess. Removing the "sudo -k"  hasn't worked (that would have been far too easy) so I'll have to investigate more closely when I have some spare time to try and better understand Ansible's code.

Having the ability to tell sudo to cache the password would be enough to allow Ansible to apply configuration to a single host that uses OTP for authentication, which is good enough for my purposes, but it obviously wouldn't work when applying config across multiple hosts at the same time.

Thanks for your response Michael, I'll see if I can get something working.

-
Bowen

[Michael DeHaan]

FYI - Some folks do consider the system caching sudo creds a security issue (whether or not that's your opinion, we can't cache by default).   Making it configurable with appropriate warnings in ansible.cfg is ok.

--