Mfcttrf

Can my boyfriend, who lives in the UK and has a Polish passport, visit me in the USA?

Taking out number of subarrays from an array which contains all the distinct elements of that array

Why is 日本 read as "nihon" but not "nitsuhon"?

Why don't we use Cavea-B

The logic of invoking virtual functions is not clear (or it is method hiding?)

In an emergency, how do I find and share my position?

Does Git delete empty folders?

Is it insecure to have an ansible user with passwordless sudo?

Metal that glows when near pieces of itself

Does adding the 'precise' tag to daggers break anything?

What's /System/Volumes/Data?

Are there any plans for handling people floating away during an EVA?

How do you call it when two celestial bodies come as close to each other as they will in their current orbits?

Can you grapple/shove with the Hunter Ranger's Whirlwind Attack?

How big would a Daddy Longlegs Spider need to be to kill an average Human?

Starships without computers?

Why doesn't the Falcon-9 first stage use three legs to land?

Was 'help' pronounced starting with a vowel sound?

Co-author responds to email by mistake cc'ing the EiC

(Why) May a Beit Din refuse to bury a body in order to coerce a man into giving a divorce?

Are required indicators necessary for radio buttons?

How to persuade recruiters to send me the Job Description?

Why don't politicians push for fossil fuel reduction by pointing out their scarcity?

Sleeping solo in a double sleeping bag

Is it insecure to have an ansible user with passwordless sudo?

Is it OK to set up passwordless `sudo` on a cloud server?How to setup passwordless `sudo` on Linux?Our security auditor is an idiot. How do I give him the information he wants?Adding a user to an additional group using ansibleHow can I implement ansible with per-host passwords, securely?How do I add sudo permissions to a user created with Ansible?Display output with AnsibleAnsible/Capistrano with fixed sudo command (“sudo su -”)Ansible-galaxy not working with sudoAnsible “expect” module with sudo?Ansible adhoc command execute with sudo

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

1

I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:

1. disable root from logging in


2. create a new user who can only log in with ssh (not password)


3. add the new user to the wheel group, with passwordless sudo permission

I understand (1) and (2), but not (3).

Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?

I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?

linux security vps ansible

share|improve this question

asked 8 hours ago

lonixlonix

13444 bronze badges

add a comment | 

1

I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:

1. disable root from logging in


2. create a new user who can only log in with ssh (not password)


3. add the new user to the wheel group, with passwordless sudo permission

I understand (1) and (2), but not (3).

Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?

I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?

linux security vps ansible

share|improve this question

asked 8 hours ago

lonixlonix

13444 bronze badges

add a comment | 

I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:

1. disable root from logging in


2. create a new user who can only log in with ssh (not password)


3. add the new user to the wheel group, with passwordless sudo permission

I understand (1) and (2), but not (3).

Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?

I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?

linux security vps ansible

share|improve this question

asked 8 hours ago

lonixlonix

13444 bronze badges

share|improve this question

asked 8 hours ago

lonixlonix

13444 bronze badges

share|improve this question

asked 8 hours ago

lonixlonix

13444 bronze badges

asked 8 hours ago

lonixlonix

13444 bronze badges

asked 8 hours ago

lonixlonix

13444 bronze badges

3 Answers
3

active

oldest

votes

4

If the service account can do passwordless sudo, then you have to protect access to that account.

Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.

share|improve this answer

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
  
  – lonix
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
  
  – lonix
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
  
  – John Mahowald
  6 hours ago
  

  
  
  
  

add a comment | 

1

The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.

As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.

share|improve this answer

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

add a comment | 

1

The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.

share|improve this answer

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge

New contributor

NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
  
  – John Mahowald
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Exactly, this is hopefully a prerequisite when working on productive systems.
  
  – NicoKlaus
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
  
  – Zoredache
  2 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980031%2fis-it-insecure-to-have-an-ansible-user-with-passwordless-sudo%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

If the service account can do passwordless sudo, then you have to protect access to that account.

Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.

share|improve this answer

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
  
  – lonix
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
  
  – lonix
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
  
  – John Mahowald
  6 hours ago
  

  
  
  
  

add a comment | 

4

If the service account can do passwordless sudo, then you have to protect access to that account.

Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.

share|improve this answer

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
  
  – lonix
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
  
  – lonix
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
  
  – John Mahowald
  6 hours ago
  

  
  
  
  

add a comment | 

If the service account can do passwordless sudo, then you have to protect access to that account.

Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.

share|improve this answer

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

share|improve this answer

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

answered 8 hours ago

Michael Hampton♦Michael Hampton

184k2929 gold badges343343 silver badges676676 bronze badges

1

The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.

As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.

share|improve this answer

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

add a comment | 

1

The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.

As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.

share|improve this answer

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

add a comment | 

The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.

As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.

share|improve this answer

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

share|improve this answer

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

answered 8 hours ago

RalfFriedlRalfFriedl

2,53344 gold badges99 silver badges1515 bronze badges

1

The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.

share|improve this answer

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge

New contributor

NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
  
  – John Mahowald
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Exactly, this is hopefully a prerequisite when working on productive systems.
  
  – NicoKlaus
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
  
  – Zoredache
  2 hours ago
  

  
  
  
  

add a comment | 

1

The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.

share|improve this answer

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge

New contributor

NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
  
  – John Mahowald
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Exactly, this is hopefully a prerequisite when working on productive systems.
  
  – NicoKlaus
  6 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
  
  – Zoredache
  2 hours ago
  

  
  
  
  

add a comment | 

The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.

share|improve this answer

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge

New contributor

NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge

New contributor

NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge

New contributor

NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 8 hours ago

NicoKlausNicoKlaus

1111 bronze badge