Hi all,
I’m trying to use ansible in the following situation:
- key-based SSH login is enabled on all hosts
- passwordless sudo is disabled on all hosts (NOPASSWD is not used in /etc**/**sudoers)
- UNIX account (i.e. sudo) passwords are not reused between hosts
and my question is:
If this configuration is supported with ansible, how can I make it work?
If this is not supported with ansible, then what is the recommended approach?
I made a list of conflicting information on this point (including some from the ansible docs) for my ServerFault question — asked two weeks ago, and with 0 answers. In particular, I found GitHub issue #1227, which seems to be a feature request to support my exact use-case… closed a year ago with the comment “I think most people are sudoing from only one user account or using keys most of the time” (NB the question is not about keys or user accounts, but sudo passwords).
In short (please see the SF question or the GH Issue for more details), using -K asks for a single password which is tried on all hosts (obviously failing if passwords aren’t the same), and I can see no way of using command-line or configuration options to prompt for a password per-host.
I am not keen to enable passwordless sudo on any of the hosts I wish to manage — or to reuse a password across multiple hosts — as these seem like large sacrifices in security. I really want to be entering N passwords during a playbook run involving N hosts.
Many thanks in advance for your thoughts.
Cheers,
Carl