Scenario / Questions
It seems that there are only two reasonable approaches for the primary Ansible user:
- Using another user (e.g.,
The first option is a no-go since I cringe at the thought of keeping
PermitRootLogin on. So, by default, the 2nd option seems to be the way to go.
I was thinking, at the very least, in
Match User ansible PasswordAuthentication No
And limiting key usage to the Ansible host by using the
from option in
Any other ideas or issues/concerns with my thoughts so far?
Find below all possible solutions or suggestions for the above questions..
Those are the measures that I use for clients that have to be managed remotely by ssh (in my case using BackupPC instead of Ansible, but it works the same way).
If you’re only using ssh to manage the clients, not for shell access, then it will improve security to add
AllowUsers ansible PasswordAuthentication no
You can have a user account that requires a password for SUDO access and provide that value at run-time via the
--ask-sudo-pass flag (
-K) for ansible-playbook
ansible-playbook -i inv/production -K playbook.yml
see http://docs.ansible.com/playbooks_intro.html for more details
Disclaimer: This has been sourced from a third party syndicated feed through internet. We are not responsibility or liability for its dependability, trustworthiness, reliability and data of the text. We reserves the sole right to alter, delete or remove (without notice) the content in its absolute discretion for any reason whatsoever.