Does Ansible have to share root key between nodes and Ansible playbook server?

Thomas G. Lau asked:

As title, it seems not safe to run everything on root, especially when playbook server get hacked and it could ssh into any machines on the Ansible host list, what’s the solution for this security problem?

My answer:

I create a user specifically for the use of ansible, which can use passwordless sudo, but which has no defined password and requires an ssh key to login. In this way, the account is privileged but it is not accessible remotely without the ssh key.

Alternately, you can create the ansible account with a password, and require the sudo password each time you run ansible.

You can create such a user like this:

# Create user
adduser ansible

# Lock password preventing password login (optional)
passwd -l ansible

# Expire any existing password, preventing password login (optional)
chage -E 0 ansible

# Ensure ansible can sudo without a password (optional)
echo "ansible ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible

# Create ansible's .ssh directory
mkdir -m 700 /home/ansible/.ssh

# Insert your desired SSH keys here
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7/BSV84tCEQ8SSwygqjEVPFcH+G2JSFEdyuJI7A2iG" > /home/ansible/.ssh/authorized_keys

# Correct ownership of newly created files and directories
chown -R ansible.ansible /home/ansible/.ssh

Adapt this as necessary to whatever process you use to bring up new server instances (kickstart, preseed, cloud-init, whatever).

I then set up ansible.cfg for passwordless sudo:

remote_user = ansible

become = True
become_method = sudo
become_user = root
become_ask_pass = False

If you wish to require a sudo password to run playbooks, you can simply set become_ask_pass = True in ansible.cfg, and do not create /etc/sudoers.d/ansible as shown above.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.