Hey all,
I’m hoping to use Ansible playbooks to automate a few tasks on my home network. My problem is that I use 2FA for authentication on all of my servers (using Yubikey). I’m quite happy to use key-based authentication for logging on to the servers, but I’d like to still require a one-time-password (OTP) to be entered for running privileged commands with sudo.
If I’m running commands with sudo on a server from the shell, sudo only prompts me the first time for a password / OTP value, after that it will be cached and I won’t need to enter it for subsequent commands. Ansible playbooks, from what I can see, are attempting to use the sudo password for every task, which won’t work because the OTP value can only be used once (by design).
Looks like this problem has been previously discussed here: https://github.com/ansible/ansible/issues/3969
The conclusion back in August 2013 was that there’s no support, and no plans to support, 2FA.
To be clear, this was 8 months ago.
We’d be up for considering it – but not likely implementing it as a free feature request.
–Michael
(Translation – patches would be considered, etc)
For anyone who stumbles across this thread in the future, and has the know how to address the problem, it looks like sudo is explicitly told not to cache credentials in the make_sudo_cmd under lib/utils/init.py (it appends “sudo -k” which causes sudo’s cache to be flushed for every task).
I can’t see why using the cache would be a security concern, so I suspect flushing the cache is there to make things easier programatically (sudo is always guaranteed to ask for password) but that’s just a guess. Removing the “sudo -k” hasn’t worked (that would have been far too easy) so I’ll have to investigate more closely when I have some spare time to try and better understand Ansible’s code.
Having the ability to tell sudo to cache the password would be enough to allow Ansible to apply configuration to a single host that uses OTP for authentication, which is good enough for my purposes, but it obviously wouldn’t work when applying config across multiple hosts at the same time.
Thanks for your response Michael, I’ll see if I can get something working.
FYI - Some folks do consider the system caching sudo creds a security issue (whether or not that’s your opinion, we can’t cache by default). Making it configurable with appropriate warnings in ansible.cfg is ok.