Thomas G. Lau asked:
As title, it seems not safe to run everything on root, especially when playbook server get hacked and it could ssh into any machines on the Ansible host list, what’s the solution for this security problem?
I create a user specifically for the use of ansible, which can use passwordless sudo, but which has no defined password and requires an ssh key to login. In this way, the account is privileged but it is not accessible remotely without the ssh key.
Alternately, you can create the ansible account with a password, and require the sudo password each time you run ansible.
You can create such a user like this:
# Create user adduser ansible # Lock password preventing password login (optional) passwd -l ansible # Expire any existing password, preventing password login (optional) chage -E 0 ansible # Ensure ansible can sudo without a password (optional) echo "ansible ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible # Create ansible's .ssh directory mkdir -m 700 /home/ansible/.ssh # Insert your desired SSH keys here echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7/BSV84tCEQ8SSwygqjEVPFcH+G2JSFEdyuJI7A2iG email@example.com" > /home/ansible/.ssh/authorized_keys # Correct ownership of newly created files and directories chown -R ansible.ansible /home/ansible/.ssh
Adapt this as necessary to whatever process you use to bring up new server instances (kickstart, preseed, cloud-init, whatever).
I then set up
ansible.cfg for passwordless sudo:
[defaults] remote_user = ansible [privilege_escalation] become = True become_method = sudo become_user = root become_ask_pass = False
If you wish to require a sudo password to run playbooks, you can simply set
become_ask_pass = True in
ansible.cfg, and do not create
/etc/sudoers.d/ansible as shown above.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.