How can I implement ansible with per-host passwords, securely?

Posted by supervacuo on Server Fault See other posts from Server Fault or by supervacuo
Published on 2013-12-09T11:49:48Z Indexed on 2014/05/26 21:32 UTC
Read the original article Hit count: 250

Filed under:
|
|

I would like to use ansible to manage a group of existing servers. I have created an ansible_hosts file, and tested successfully (with the -K option) with commands that only target a single host

ansible -i ansible_hosts host1 --sudo -K # + commands ...

My problem now is that the user passwords on each host are different, but I can't find a way of handling this in Ansible.

Using -K, I am only prompted for a single sudo password up-front, which then seems to be tried for all subsequent hosts without prompting:

host1 | ...
host2 | FAILED => Incorrect sudo password
host3 | FAILED => Incorrect sudo password
host4 | FAILED => Incorrect sudo password
host5 | FAILED => Incorrect sudo password

Research so far:

  • a StackOverflow question with one incorrect answer ("use -K") and one response by the author saying "Found out I needed passwordless sudo"

  • the Ansible docs, which say "Use of passwordless sudo makes things easier to automate, but it’s not required." (emphasis mine)

  • this security StackExchange question which takes it as read that NOPASSWD is required

  • article "Scalable and Understandable Provisioning..." which says:

    "running sudo may require typing a password, which is a sure way of blocking Ansible forever. A simple fix is to run visudo on the target host, and make sure that the user Ansible will use to login does not have to type a password"

  • article "Basic Ansible Playbooks", which says

    "Ansible could log into the target server as root and avoid the need for sudo, or let the ansible user have sudo without a password, but the thought of doing either makes my spleen threaten to leap up my gullet and block my windpipe, so I don’t"

    My thoughts exactly, but then how to extend beyond a single server?

  • ansible issue #1227, "Ansible should ask for sudo password for all users in a playbook", which was closed a year ago by mpdehaan with the comment "Haven't seen much demand for this, I think most people are sudoing from only one user account or using keys most of the time."

So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security.

© Server Fault or respective owner

Related posts about security

Related posts about sudo