How can I implement ansible with per-host passwords, securely?

You’ve certainly done your research…

From all of my experience with ansible what you’re looking to accomplish, isn’t supported. As you mentioned, ansible states that it does not require passwordless sudo, and you are correct, it does not. But I have yet to see any method of using multiple sudo passwords within ansible, without of course running multiple configs.

So, I can’t offer the exact solution you are looking for, but you did ask…

“So… how are people using Ansible in situations like these? Setting
NOPASSWD in /etc/sudoers, reusing password across hosts or enabling
root SSH login all seem rather drastic reductions in security.”

I can give you one view on that. My use case is 1k nodes in multiple data centers supporting a global SaaS firm in which I have to design/implement some insanely tight security controls due to the nature of our business. Security is always balancing act, more usability less security, this process is no different if you are running 10 servers or 1,000 or 100,000.

You are absolutely correct not to use root logins either via password or ssh keys. In fact, root login should be disabled entirely if the servers have a network cable plugged into them.

Lets talk about password reuse, in a large enterprise, is it reasonable to ask sysadmins to have different passwords on each node? for a couple nodes, perhaps, but my admins/engineers would mutiny if they had to have different passwords on 1000 nodes. Implementing that would be near impossible as well, each user would have to store there own passwords somewhere, hopefully a keypass, not a spreadsheet. And every time you put a password in a location where it can be pulled out in plain text, you have greatly decreased your security. I would much rather them know, by heart, one or two really strong passwords than have to consult a keypass file every time they needed to log into or invoke sudo on a machine.

So password resuse and standardization is something that is completely acceptable and standard even in a secure environment. Otherwise ldap, keystone, and other directory services wouldn’t need to exist.

When we move to automated users, ssh keys work great to get you in, but you still need to get through sudo. Your choices are a standardized password for the automated user (which is acceptable in many cases) or to enable NOPASSWD as you’ve pointed out. Most automated users only execute a few commands, so it’s quite possible and certainly desirable to enable NOPASSWD, but only for pre-approved commands. I’d suggest using your configuration management (ansible in this case) to manage your sudoers file so that you can easily update the password-less commands list.

Now, there are some steps you can take once you start scaling to further isolate risk. While we have 1000 or so nodes, not all of them are ‘production’ servers, some are test environments, etc. Not all admins can access production servers, those than can though use their same SSO user/pass|key as they would elsewhere. But automated users are a bit more secure, for instance an automated tool that non-production admins can access has a user & credentials that cannot be used in production. If you want to launch ansible on all nodes, you’d have to do it in two batches, once for non-production and once for production.

We also use puppet though, since it’s an enforcing configuration management tool, so most changes to all environments would get pushed out through it.

Obviously, if that feature request you cited gets reopened/completed, what you’re looking to do would be entirely supported. Even then though, security is a process of risk assessment and compromise. If you only have a few nodes that you can remember the passwords for without resorting to a post-it note, separate passwords would be slightly more secure. But for most of us, it’s not a feasible option.

Related Posts:

  1. what is a auth_user_file.txt?
  2. How to view PHP on live site
  3. Is moving wp-config outside the web root really beneficial?
  4. Hide the fact a site is using WordPress?
  5. Verifying that I have fully removed a WordPress hack?
  6. Can I Prevent Enumeration of Usernames?
  7. Best way to eliminate xmlrpc.php?
  8. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  9. Should I remove install.php and install-helper.php?
  10. Are Nonces Useless?
  11. What is the difference between esc_html filter vs attribute_escape filter?
  12. How do I technically prove that WordPress is secure?
  13. Which KSES should be used and when?
  14. How do WordPress Nonces Work?
  15. How can I easily verify a core or plugin update has not broken anything?
  16. Disable comment windows for all existing posts (pages/blogposts)
  17. Generate WordPress salt
  18. Stop wordpress automatically escaping $_POST data
  19. Secure my “add_settings_field” translation?
  20. how can i embed wordpress backend in iframe
  21. Handling nonces for actions from guests to logged-in users
  22. WordPress Logout Only If User Click Logout or If User Delete Browser History
  23. Can I force a password change?
  24. How brute-forcer knows that the password is cracked for target username?
  25. What is pclzip.lib.php file that wordfence think it’s a malicious code
  26. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  27. How to disable XML-RPC from Linux command-line in a total way?
  28. How to remove javascript malware in wordpress site [closed]
  29. Completely remove the author url
  30. Securing my WordPress Files and Directories
  31. About WordPress site security
  32. Single sign-on: wp_authenticate_user vs wp_authenticate
  33. How to allow internal links using wp_kses filtration
  34. How does Cross Site Scripting (XSS) work exactly? [closed]
  35. Relative security of different releases of WordPress
  36. How does the “authentication unique keys and salts” feature work?
  37. vs WordPress Security
  38. esc_html__ security : what for in this example?
  39. Using HTACCESS for Secret Access
  40. wp-config.php being written by attacker
  41. Definitive wordpress directory ownership and permissions on linux
  42. XML-RPC errors they know my username?
  43. Is [admin / admin] acceptable for all local websites?
  44. Simple Online Payment for Event Registration [closed]
  45. What may be causing failure of auto-install features in WordPress (v3.0.3)?
  46. Client side HTTP parameter pollution (reflected)
  47. Local file inclusion critical security issue [closed]
  48. Malware script in database post table only? [closed]
  49. Best practices to assert current_user_can() with guests
  50. wordpress website host price and security [closed]
  51. XMLRPC slow and weird websites/services
  52. Are there security risks in working directly in the themes folder that builds into a theme folder?
  53. Is it safe to hand over the admin rights?
  54. how much information can we hide when using wordpress cms?
  55. How to find exploited wordpress plugin [closed]
  56. How I can open back door for myself?
  57. Basic password protection without using users and roles
  58. System setting changed by system user
  59. Does meta-data need to be sanitized?
  60. How can I force a specific password?
  61. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  62. Who updates the wp-admin/core file?
  63. How WordPress sanitizes post content on save? Or it doesn’t?
  64. Does this code indicate an exploit?
  65. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  66. How to prevent to direct access of my custom plugin folder/files
  67. Checking for origin of a xmlrpc request
  68. RESTRICT EDIT of PHP files?
  69. wp-content – permissions for files/folders created by apache
  70. How can I restrict access to specific parts of a page, not just the page itself?
  71. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  72. User generated content and security
  73. Monitor wordpress all external calls
  74. HSTS header not being added correctly
  75. how to protect wordpress content from crawler
  76. Securing WordPress running on Azure platform
  77. Can WordPress admin user + database credentials be used to gain Cpanel or FTP access?
  78. Should I worry about SQL injection when using REST API?
  79. Spam Registrations
  80. Links to root domain from search engines don’t work, but direct links and links from other referrers do
  81. How can I backup my site if it gets hacked?
  82. How can I have more confidence that WP plugins aren’t getting and storing user data?
  83. Standard Method for Securing a WordPress Site
  84. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  85. Secure Multiple WordPress Installations on shared hosting
  86. Any way to disable /wp-login.php redirecting to the site folder?
  87. Able to go to WordPress admin even after deleting auth cookies from request headers
  88. Is WordPress ready for GDPR compliance? [closed]
  89. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  90. Secure a WordPress website in 2019: one plugin or a combinations of them?
  91. What are the different types of firewall protections available for a WordPress website?
  92. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  93. Is this a WordPress security bug?
  94. Competitor is somehow accessing MetaData on a hidden WordPress site
  95. WordPress Hacks/Defacing [closed]
  96. Bank account number and Sort Code in a form [closed]
  97. How do you search for backdoors from the previous IT person?
  98. Why is SSH password authentication a security risk?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH

Leave a Comment