Scenario / Questions

It seems that there are only two reasonable approaches for the primary Ansible user:

  • Using root
  • Using another user (e.g., ansible) with NOPASSWD sudo access

The first option is a no-go since I cringe at the thought of keeping PermitRootLogin on. So, by default, the 2nd option seems to be the way to go.

I was thinking, at the very least, in /etc/ssh/sshd_config:

Match User ansible
    PasswordAuthentication No

And limiting key usage to the Ansible host by using the from option in authorized_keys:

from="192.168.100/24"

Any other ideas or issues/concerns with my thoughts so far?

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Those are the measures that I use for clients that have to be managed remotely by ssh (in my case using BackupPC instead of Ansible, but it works the same way).

If you’re only using ssh to manage the clients, not for shell access, then it will improve security to add

AllowUsers ansible
PasswordAuthentication no

Suggestion: 2

You can have a user account that requires a password for SUDO access and provide that value at run-time via the --ask-sudo-pass flag (-K) for ansible-playbook

ansible-playbook -i inv/production -K playbook.yml

see http://docs.ansible.com/playbooks_intro.html for more details