Best way to manage hosts with Ansible (secutiry)

Vamberto_Junior · March 23, 2016, 12:11pm

Hellow everybody

I am a new user in Ansible’s World so in my studies, I have some doubts about the best way to manage hosts with Ansible.

My question is… What is the best securty way to manage hosts with Ansible ?

Some docs tell to use ssh without pass from the server Ansible to host and use sudo without pass too (ansible ALL=NOPASSWD: ALL)

So in your opinion what is the best way ?

Uditha_Desilva · March 23, 2016, 1:35pm

Looks like you’ve got 2 different questions there, 1) what’s most secure way, and 2) what’s the “best” way.

NOPASSWD:ALL is certainly the most convenient way, but it probably isn’t the most secure. (You would need to ensure that the SSH private key is well secured, and probably only allowed to be used from a hardened bastion host (look at “man ssh_config” and the “from=” parameter – possibly also using a “command=” wrapper to check that arbitrary commands (as opposed to sftp and ansible-driven python and sudo invocations) are not accepted).

If you don’t want to do that, you can have Ansible prompt for the su or sudo password (check out the --ask-pass and --ask-become options). That is a little more secure, although it’s quite a lot more “hassle”, unless you have a dynamic inventory source that can set the required ansible_ssh_user/ansible_ssh_pass/ansible_become_method/ansible_become_pass connection variables acquired from some “other source”.

Vamberto_Junior · March 23, 2016, 2:07pm

Thanks for your help Uditha Desilva

Johannes_Kastl · March 27, 2016, 7:18pm

I am by far not an expert on ansible security. But after reading lots
and lots of docs I went for the following:

- Use SSH keys with passphrase
- Store passphrase in ssh-agent if needed, and delete them afterwards
- Do *not* allow the ansible_user passwordless sudo
- Provide the sudo password (ansible_become_pass) in a host_vars file
(host_vars/xyz for host xyz)
- Encrypt that host_vars file with ansible vault
- Store the ansible-vault passphase in a file on my machine

I also do not use the same username on each host, but also store that
in the host_vars file.
I also do not use the same ssh port on each machine, you guess it:
stored in a host_vars file (although this is security by obscurity, it
keeps the logs clean, i.e. script kiddies do not fill the logs with
stupid attempts)

Just my 2 cents, YMMV.

Johannes

Vamberto_Junior · March 27, 2016, 9:16pm

Thanks Johannes Kastl for the help

Topic		Replies	Views
how to connect via ssh to different ansible nodes that have different root credentials ? Ansible Project	6	2	December 14, 2020
Securing ansible - best practice? Ansible Project	2	3	June 23, 2017
connection to multiple hosts with all different passwords Ansible Project	0	5	March 7, 2018
different per-host sudo passwords (without NOPASSWD) Ansible Project	0	3	December 23, 2013
[newbie] connecting to remote hosts and adding packages Ansible Project ubuntu	1	0	January 3, 2017

Best way to manage hosts with Ansible (secutiry)

Related topics