Isn't password declared in plain text under vars when using kerberos ?

Neeraj_Shah · July 30, 2019, 6:19pm

Hi All,
As per official docs, using ansible to manage windows hosts requires us to specify the password in plain text for ansible_winrm_transport variable in the hosts file or the group_vars file. My question or confusion is doesn’t security take a beating here ? In most cases we end up putting domain admin or local admin credentials here so how is this protected if the ansible linux host gets compromised ? How is this supposed to be secured ?

The following example shows host vars configured for Kerberos authentication:

ansible_user: username@MY.DOMAIN.COM
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: kerberos

jborean · July 30, 2019, 10:57pm

There are multiple ways you can get around this, you could;

Store the password in a vault file so the user would need to know the vault key when running your playbook
Use a lookup plugin to lookup the password during runtime
Don’t use a password at all, kerberos can use the existing ticket checked out with kinit before running the playbook
You shouldn’t have your password in plaintext at all, most of the time the docs only have it there just for documentation purposes.

Thanks

Jordan

Neeraj_Shah · July 31, 2019, 12:03am

Thank you Jordan.

Topic		Replies	Views
Password declaration in Clear text when using Kerberos ? Ansible Developer windows	3	0	August 8, 2019
looking for advice on storing connection passwords Ansible Project windows	2	0	July 6, 2018
Handling Windows Local Admin Passwords in Ansible? Ansible Developer windows , aws	5	1	March 15, 2016
Can Ansible authenticate to VMware with a Kerberos ticket Ansible Project vmware	0	1	April 25, 2017
Ansible Vault - Issues with Encrypting ansible_password Get Help windows , winrm , ansible-vault , ansible	5	692	April 18, 2024

Isn't password declared in plain text under vars when using kerberos ?

Related topics