How to create user on remote machine and then configure the machine as this user?

[Daniel Charbonneau]

The remote machine I am logging into currently only allows me to login via root, but I'd like to create another user and perform configurations as this user. I don't know how to do this, would someone point me to a few resources explaining this, or if someone is willing to explain via email, I would appreciate this too!

[Strahinja Kustudić]

I'm not sure what exactly is the problem? You basically need to login as root, create a user and than give it sudo permissions to run everything as root. For that I would recommend that you create a playbook for bootstrapping your server with something like this:

---
- hosts: servername
  remote_user: root
  tasks:
    - name: create ansible user for managing host
      user: name=ansible comment="Ansible User"

    - name: give ansible user sudo rights
      lineinfile: dest=/etc/sudoers
                  state=present
                  regexp='^ansible ALL\='
                  line='ansible ALL=(ALL) NOPASSWD:ALL'
                  validate='visudo -cf %s'

Than in ansible.cfg you set remote_user = ansible (so that you don't have to set remote_user in every playbook) and in playbooks use sudo: yes, like this:

---
- hosts: servername
  sudo: yes
  - tasks:
    - name: ...

[Adam Morris]

Yes... but please don't just copy that playbook.

That gives you a passwordless user that can run commands as root without a password. The user module can take a password hash, and authorized keys can also be set up.

Adam

[Strahinja Kustudić]

As Adam mentioned, don't just copy this playbook, it is just an example and it is missing either setting a password, or an authorized_keys file for the ansible user.

I would also like to mention that having a user without a password which can run commands as root without typing a password is harmless. If a user that doesn't have a password, no one can log in like that user.

[Adam Morris]

I would have to check whether this would create an account with an empty password hash (bad) or an invalid password hash (good).

Either way it is either dangerous or useless as is. My personal preference would be to create a user account for yourself (avoid a role account) give it a password, distribute an authorized key and require a password for sudo.  This is marginally less convenient in that you need to provide a password but aids auditing and allows for multiple admins to run ansible as themselves.

Adam

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/rpzQhE66ex0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9549dfee-9998-40f8-8cf1-7f14a80270cb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Strahinja Kustudić]

User module doesn't set a password by default, so it will create a user without one :)

[Francisco Reyes]

On Sunday, April 20, 2014 4:24:25 PM UTC-4, Daniel Charbonneau wrote:

The remote machine I am logging into currently only allows me to login via root, but I'd like to create another user and perform configurations as this user. I don't know how to do this, would someone point me to a few resources explaining this, or if someone is willing to explain via email, I would appreciate this too!

One additional comment to the original poster.. If you are moving to have ansible manage the machine and don't need root logins anymore don't forget to change

PermitRootLogin no

And restart ssh

If for any reason you still wanted the ansible machine to have access from root perhaps this may be an option:

#Allow only the monitoring machine to connect through root

Match Address #.#.#.# <--- where #.#.#.# is the IP from the ansible machine.

PermitRootLogin yes

I am currently using the above setup to get machines under ansible control quickly.. while I learn better/safer ways to do it. If the machine only allows logins with ssh keys I would suspect having root login from a single IP with a key may not be too bad an option.

[Francisco Reyes]

On Monday, April 21, 2014 10:15:17 AM UTC-4, Adam Morris wrote:
>>....My personal preference would be to create a user account for yourself (avoid a role account) give it a password,

>> distribute an authorized key and require a password for sudo. This is marginally less convenient in that you need

>> to provide a password but aids auditing and allows for multiple admins to run ansible as themselves. 

Would this be secure?

* Setup target machines to only accept logins with ssh keys

* Set "PermitRootLogin no" in /etc/ssh/sshd_config

* At bottom of  /etc/ssh/sshd_config

#Allow only the monitoring machine to connect through root

Match Address #.#.#.# <--- where #.#.#.# is the IP of the ansible machine

PermitRootLogin yes

* Have a key WITH password in the ansible machine so one would need to put in the password, likely in ssh-agent, before the connections would work.

Would that be safe? 

My environment, so far, is small enough that I am not doing cron jobs yet with ansible. Looking for the safest, yet manageable, way to get ansible implemented accross a couple of clients. Currently I have the root key without password, but thinking on adding it a password for safety.

[Strahinja Kustudić]

Add a key, that would make it also safer for you, since you would need to type a password before doing any changes on production servers.

What I would recommend though is that you just close down SSH in your firewall to all except addresses which are going to be used as managing servers. Either close it down with IPtables, or even better in your network firewall or L3 switch with ACLs.

[Francisco Reyes]

On Monday, April 21, 2014 12:10:05 PM UTC-4, Strahinja Kustudić wrote:
>>Add a key

ssh key? That is part of what I already

>> that would make it also safer for you, since you would need to type a password before doing any changes on production servers.

My plan is to have a key for the ssh key and then use ssh-agent.

>>What I would recommend though is that you just close down SSH in your firewall to all except addresses which are going to be used as managing servers

Very often not possible.

Depending on the size of an organization you may have:

Mobile users

Users working from home

Users from multiple offices

If my suggested approach worked, that would be a possible alternative for the original poster. In that case he would not even need to have a sudo user. Hence, whey I am asking if that suggested approach is considered safe from a "best practices" standpoint.

[Strahinja Kustudić]

I just wanted to confirm that adding a pass-phrase to the ssh key is a good idea :)

Your suggestion with Match Address is cool and a great suggestions if firewall is not an option, but if you ask me disabling password authentications with PasswordAuthentication=no and using SSH keys for root to manage servers is as safe as using a sudo user instead, since it's not like someone would brute-force the root SSH key. But that is just my opinion, because I usually use RHEL. If you are on Debian/Ubuntu, you would probably use a sudo user.