How can I implement ansible with per-host passwords, securely?
Posted
by
supervacuo
on Server Fault
See other posts from Server Fault
or by supervacuo
Published on 2013-12-09T11:49:48Z
Indexed on
2014/05/26
21:32 UTC
Read the original article
Hit count: 245
I would like to use ansible to manage a group of existing servers. I have created an ansible_hosts
file, and tested successfully (with the -K
option) with commands that only target a single host
ansible -i ansible_hosts host1 --sudo -K # + commands ...
My problem now is that the user passwords on each host are different, but I can't find a way of handling this in Ansible.
Using -K
, I am only prompted for a single sudo password up-front, which then seems to be tried for all subsequent hosts without prompting:
host1 | ...
host2 | FAILED => Incorrect sudo password
host3 | FAILED => Incorrect sudo password
host4 | FAILED => Incorrect sudo password
host5 | FAILED => Incorrect sudo password
Research so far:
a StackOverflow question with one incorrect answer ("use
-K
") and one response by the author saying "Found out I needed passwordless sudo"the Ansible docs, which say "Use of passwordless sudo makes things easier to automate, but it’s not required." (emphasis mine)
this security StackExchange question which takes it as read that
NOPASSWD
is requiredarticle "Scalable and Understandable Provisioning..." which says:
"running sudo may require typing a password, which is a sure way of blocking Ansible forever. A simple fix is to run visudo on the target host, and make sure that the user Ansible will use to login does not have to type a password"
article "Basic Ansible Playbooks", which says
"Ansible could log into the target server as root and avoid the need for sudo, or let the ansible user have sudo without a password, but the thought of doing either makes my spleen threaten to leap up my gullet and block my windpipe, so I don’t"
My thoughts exactly, but then how to extend beyond a single server?
ansible issue #1227, "Ansible should ask for sudo password for all users in a playbook", which was closed a year ago by mpdehaan with the comment "Haven't seen much demand for this, I think most people are sudoing from only one user account or using keys most of the time."
So... how are people using Ansible in situations like these? Setting NOPASSWD
in /etc/sudoers
, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security.
© Server Fault or respective owner