![]() ![]() This, I believe is a good balance of ease of automation and security. Note that for simplicity, the playbook, imported task and passwords file all reside in the same directory. # Add a directory inside the root user's home for proof of concept # Point to the passwords file relative to where the playbook file resides Then import this task into any playbooks that require escalated privileges: - name: Playbook Name Save to a file separate from any playbooks, as this can be imported to all playbooks. Then create a task partial to import the sudo passwords as the ansible_become_pass fact. Chef-supported releases of Ubuntu, SuSE, Debian, and RHEL (6+) all support this feature. ![]() This resource does not enforce installation of the required sudo version. However, consider the security implications and make sure to configure passwordless sudo or add a second account with administrative privileges if needed. Sudo version 1.7.2 or newer is required to use the sudo resource, as it relies on the includedir directive introduced in version 1.7.2. ~/my-ansible-project $ ln -s /path/to/vault/sudo_passwords.yamlīe sure to keep this file out of version control In summary, to log in to Ubuntu 18.04 without a password, you can delete the password for the desired user account using the sudo passwd -d username command. However, I just symlink, since my encrypted volume is only open when I need to do work. # Decrypt when you're using itĪnsible-vault decrypt sudo_passwords.yamlĪnsible-vault encrypt sudo_passwords.yamlįor this part, you will need the encryption password. You could also keep this file in the root of the ansible project itself, and use ansible-vault to encrypt/decrypt in place. I keep the raw secrets file as a plaintext file in an encrypted volume, then add a symlink to a file in the root of your ansible project. There are options where you can keep this file, but here is my strategy. You'd think that this would make automation difficult, having to enter a password each time, but this is where the ansible_become_pass host variable comes in useful.Ĭreate a yaml file somewhere and create a dictionary of hosts to sudo passwords: sudo_passwords: If a bad actor gains access to one of your servers and it's possible to sudo without a password, then they can also sudo su and become the root user.Īlways have a user password that is required to run escalated privileges ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |