Password declaration in Clear text when using Kerberos ?









|

  • |

Hi All,
As per official docs, using ansible to manage windows hosts requires us to specify the password in plain text for ansible_winrm_transport variable in the hosts file or the group_vars file. My question or confusion is doesn’t security take a beating here ? In most cases we end up putting domain admin or local admin credentials here so how is this protected if the ansible linux host gets compromised ? How is this supposed to be secured ?

The following example shows host vars configured for Kerberos authentication:

ansible_user: [username@MY.DOMAIN.COM](mailto:username@MY.DOMAIN.COM)
ansible_password: Password
ansible_connection: winrm
ansible_winrm_transport: kerberos

Either prompt for it from the commandline, or use a password-lookup like passwordstore or vault or somehing like that.

(attachments)

Auto Generated Inline Image 1.png

You can use ansible vault to encrypt the username and / password or any other sensitive information and place the encrypted value in the playbook/group_vars file so you can check into version control

Then during runtime if you have the correct vault key it will decrypt it on the fly

If you really want to be secure but to annoy your workers , you can encrypt the entire playbook/group_vars file

Tony Chia

Thank you Tony and Mark.