Ansible best practice - multiple administrators

Jakub_Kavka · September 11, 2018, 9:00am

Hello,

i would like to ask, what is best practice to handle more Ansible administrators from security perspective.
We would like to login with SSH keys to both control machine and remotes.

Is the best way to do this:

Create every administrator his own account at control machine and then just use BECOME to SSH to remote hosts with one general account with sudo rights on remotes? With this solution only private key stored at control machine would be one for general user.
Create own account for every administrator on control and remote machines and let them SSH to remotes with their own account? This solution basicly means, we would have to store private keys for each administrator at control machine.
every administrator already have SSH key and we would like to use these existing ones

how insecure is to use passwordless sudo with second approach?

Thank you for your help.

Jonathan_Lozada_De_L · September 11, 2018, 2:00pm

I prefer option 2 because everyone has their own keys, accounts and sudo permissions. You should use passwords with the ssh keys to avoid others from using others users keys.

Dick_Visser · September 11, 2018, 4:23pm

How about forwarding the authentication agent connection.
This avoids having to store private keys on your management station.

Dick

Topic		Replies	Views
Securing ansible - best practice? Ansible Project	2	2	June 23, 2017
different per-host sudo passwords (without NOPASSWD) Ansible Project	0	3	December 23, 2013
I promise you.... I'm pretty smart!! Ansible Project	1	0	January 27, 2017
ansible configuration Ansible Project	2	1	February 7, 2024
how to connect via ssh to different ansible nodes that have different root credentials ? Ansible Project	6	2	December 14, 2020

Ansible best practice - multiple administrators

Related topics