The remote machine I am logging into currently only allows me to login via root, but I’d like to create another user and perform configurations as this user. I don’t know how to do this, would someone point me to a few resources explaining this, or if someone is willing to explain via email, I would appreciate this too!
I’m not sure what exactly is the problem? You basically need to login as root, create a user and than give it sudo permissions to run everything as root. For that I would recommend that you create a playbook for bootstrapping your server with something like this:
---
- hosts: servername
remote_user: root
tasks:
- name: create ansible user for managing host
user: name=ansible comment="Ansible User"
- name: give ansible user sudo rights
lineinfile: dest=/etc/sudoers
state=present
regexp='^ansible ALL\='
line='ansible ALL=(ALL) NOPASSWD:ALL'
validate='visudo -cf %s'
Than in ansible.cfg you set remote_user = ansible (so that you don’t have to set remote_user in every playbook) and in playbooks use sudo: yes, like this:
Yes... but please don't just copy that playbook.
That gives you a passwordless user that can run commands as root without a password. The user module can take a password hash, and authorized keys can also be set up.
Adam
As Adam mentioned, don’t just copy this playbook, it is just an example and it is missing either setting a password, or an authorized_keys file for the ansible user.
I would also like to mention that having a user without a password which can run commands as root without typing a password is harmless. If a user that doesn’t have a password, no one can log in like that user.
I would have to check whether this would create an account with an empty password hash (bad) or an invalid password hash (good).
Either way it is either dangerous or useless as is. My personal preference would be to create a user account for yourself (avoid a role account) give it a password, distribute an authorized key and require a password for sudo. This is marginally less convenient in that you need to provide a password but aids auditing and allows for multiple admins to run ansible as themselves.
Adam
User module doesn’t set a password by default, so it will create a user without one 
One additional comment to the original poster… If you are moving to have ansible manage the machine and don’t need root logins anymore don’t forget to change
PermitRootLogin no
And restart ssh
If for any reason you still wanted the ansible machine to have access from root perhaps this may be an option:
#Allow only the monitoring machine to connect through root
Match Address #.#.#.# <— where #.#.#.# is the IP from the ansible machine.
PermitRootLogin yes
I am currently using the above setup to get machines under ansible control quickly… while I learn better/safer ways to do it. If the machine only allows logins with ssh keys I would suspect having root login from a single IP with a key may not be too bad an option.
Would this be secure?
- Setup target machines to only accept logins with ssh keys
- Set “PermitRootLogin no” in /etc/ssh/sshd_config
- At bottom of /etc/ssh/sshd_config
#Allow only the monitoring machine to connect through root
Match Address #.#.#.# <— where #.#.#.# is the IP of the ansible machine
PermitRootLogin yes
- Have a key WITH password in the ansible machine so one would need to put in the password, likely in ssh-agent, before the connections would work.
Would that be safe?
My environment, so far, is small enough that I am not doing cron jobs yet with ansible. Looking for the safest, yet manageable, way to get ansible implemented accross a couple of clients. Currently I have the root key without password, but thinking on adding it a password for safety.
Add a key, that would make it also safer for you, since you would need to type a password before doing any changes on production servers.
What I would recommend though is that you just close down SSH in your firewall to all except addresses which are going to be used as managing servers. Either close it down with IPtables, or even better in your network firewall or L3 switch with ACLs.
Add a key
ssh key? That is part of what I already
that would make it also safer for you, since you would need to type a password before doing any changes on production servers.
My plan is to have a key for the ssh key and then use ssh-agent.
What I would recommend though is that you just close down SSH in your firewall to all except addresses which are going to be used as managing servers
Very often not possible.
Depending on the size of an organization you may have:
Mobile users
Users working from home
Users from multiple offices
If my suggested approach worked, that would be a possible alternative for the original poster. In that case he would not even need to have a sudo user. Hence, whey I am asking if that suggested approach is considered safe from a “best practices” standpoint.
I just wanted to confirm that adding a pass-phrase to the ssh key is a good idea
Your suggestion with Match Address is cool and a great suggestions if firewall is not an option, but if you ask me disabling password authentications with PasswordAuthentication=no and using SSH keys for root to manage servers is as safe as using a sudo user instead, since it’s not like someone would brute-force the root SSH key. But that is just my opinion, because I usually use RHEL. If you are on Debian/Ubuntu, you would probably use a sudo user.