Securing ansible - best practice?
107 views
Skip to first unread message
Chris Jefferies
Jun 21, 2017, 12:29:57 PM6/21/17
to Ansible Project
Hello.
I'm looking around for a best practice tutorial or document that describes how to configure our ansible server to deploy our applications to about 20 servers at a time. We call this group of servers a track. We have a growing number of tracks.
So I got Ansible installed but now I want to know how best to deploy keys to the 20 remote hosts. How do I automate the secure deployment of ssh keys to these hosts?
I see notes about how to set up user security for remote hosts but those are, as far as I can tell, assuming initial connectivity has been established.
Also, one of my work mates indicates that a secure remote host should have a user (ansible perhaps?) with restricted access that can only execute specific commands. I assume this happens by configuring the sudoers file. If we go there, it seems I need to allow specific applications like yum, python, file copies, etc for the ansible user.
So it seems to be a chicken and egg problem and now we're back to lots of pre-configuring each agentless host so that I can deploy apps and configs from a central ansible server.
How is everyone dispensing ssh keys and setting up ansible users so that we can have a secure and a not too tedious set up process.
BTW, our setup is mainly Redhat 6.x and 7.
Thanks in advance for any tips,
Chris.
Dick Davies
Jun 21, 2017, 3:05:46 PM6/21/17
to ansible list
There's a few options.
You can do a 'pre-seed' ssh key (added via Kickstart on in the VMware template;
on AWS you'd add this as the instance is created).
Ansible can use that to get in initially once the server is up and create more
users/groups as desired. Another option would be a central key system
like FreeIPA (Redhat do their own flavour with commercial support).
I've used both approaches and they work pretty well, but they won't really
help you on an existing site. Typically on those you already have some
form of remote access setup (how else are you managing the servers)?
In that event, I'd allow existing admins to use their own personal accounts
and grant them (ideally passwordless) sudo privileges. That way you get
an audit trail 'for free' and can easily revoke a given admins privileges
(a bit harder with a shared 'special' account).
Essentially, Ansible as a 'power tool' to run over SSH, but respect all
the security restrictions a typical SSH user would have, is a pretty easy
sell to most big corps (compared to the Chef/Puppet approach of a god-level
agent that wakes up every 30 minutes and potentially wreaks havoc).
I'd generally suggest giving 'full' sudo access, not specific commands;
for Ansible to work it needs to run Python and once you have that, you're
generally able to do whatever you want to the server anyway.
As I said, you still get to see what each user is up to in whatever central
logging solution you have (provided you're shipping /var/log/secure somehow).
> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c035d0c8-952f-4046-8f0f-d54b0ed37310%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You can do a 'pre-seed' ssh key (added via Kickstart on in the VMware template;
on AWS you'd add this as the instance is created).
Ansible can use that to get in initially once the server is up and create more
users/groups as desired. Another option would be a central key system
like FreeIPA (Redhat do their own flavour with commercial support).
I've used both approaches and they work pretty well, but they won't really
help you on an existing site. Typically on those you already have some
form of remote access setup (how else are you managing the servers)?
In that event, I'd allow existing admins to use their own personal accounts
and grant them (ideally passwordless) sudo privileges. That way you get
an audit trail 'for free' and can easily revoke a given admins privileges
(a bit harder with a shared 'special' account).
Essentially, Ansible as a 'power tool' to run over SSH, but respect all
the security restrictions a typical SSH user would have, is a pretty easy
sell to most big corps (compared to the Chef/Puppet approach of a god-level
agent that wakes up every 30 minutes and potentially wreaks havoc).
I'd generally suggest giving 'full' sudo access, not specific commands;
for Ansible to work it needs to run Python and once you have that, you're
generally able to do whatever you want to the server anyway.
As I said, you still get to see what each user is up to in whatever central
logging solution you have (provided you're shipping /var/log/secure somehow).
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/c035d0c8-952f-4046-8f0f-d54b0ed37310%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reiner Nippes
Jun 23, 2017, 6:53:37 AM6/23/17
to Ansible Project
Am Mittwoch, 21. Juni 2017 18:29:57 UTC+2 schrieb Chris Jefferies:
So I got Ansible installed but now I want to know how best to deploy keys to the 20 remote hosts. How do I automate the secure deployment of ssh keys to these hosts?
You deploy the public key of the ansible remote user to your servers. That's no problem since it is the public key.
When you loose your secret key (which should never leave your ansible server) you are in trouble.
For aws put something like this to your user-data:
#cloud-config
#
# more usefull things: https://cloudinit.readthedocs.io/en/latest/topics/examples.html
#
groups:
ansible
#
users:
- default # remove this if you don't want to have the default aws user (ec2-user|ubuntu)
- name: ansible
primary-group: ansible
lock_passwd: true
sudo: ALL=(ALL) NOPASSWD:ALL
ssh-authorized-keys:
- 'ssh-rsa <your ansible pub key here> ansible'
Reply all
Reply to author
Forward
0 new messages