How can I implement ansible with per-host passwords, securely?
- by supervacuo
I would like to use ansible to manage a group of existing servers. I have created an ansible_hosts file, and tested successfully (with the -K option) with commands that only target a single host
ansible -i ansible_hosts host1 --sudo -K # + commands ...
My problem now is that the user passwords on each host are different, but I can't find a way of handling this in Ansible.
Using -K, I am only prompted for a single sudo password up-front, which then seems to be tried for all subsequent hosts without prompting:
host1 | ...
host2 | FAILED => Incorrect sudo password
host3 | FAILED => Incorrect sudo password
host4 | FAILED => Incorrect sudo password
host5 | FAILED => Incorrect sudo password
Research so far:
a StackOverflow question with one incorrect answer ("use -K") and one response by the author saying "Found out I needed passwordless sudo"
the Ansible docs, which say "Use of passwordless sudo makes things easier to automate, but it’s not required." (emphasis mine)
this security StackExchange question which takes it as read that NOPASSWD is required
article "Scalable and Understandable Provisioning..." which says:
"running sudo may require typing a password, which is a sure way of blocking Ansible forever. A simple fix is to run visudo on the target host, and make sure that the user Ansible will use to login does not have to type a password"
article "Basic Ansible Playbooks", which says
"Ansible could log into the target server as root and avoid the need for sudo, or let the ansible user have sudo without a password, but the thought of doing either makes my spleen threaten to leap up my gullet and block my windpipe, so I don’t"
My thoughts exactly, but then how to extend beyond a single server?
ansible issue #1227, "Ansible should ask for sudo password for all users in a playbook", which was closed a year ago by mpdehaan with the comment "Haven't seen much demand for this, I think most people are sudoing from only one user account or using keys most of the time."
So... how are people using Ansible in situations like these? Setting NOPASSWD in /etc/sudoers, reusing password across hosts or enabling root SSH login all seem rather drastic reductions in security.