Is it insecure to have an ansible user with passwordless sudo?Is it OK to set up passwordless `sudo` on a cloud server?How to setup passwordless `sudo` on Linux?Our security auditor is an idiot. How do I give him the information he wants?Adding a user to an additional group using ansibleHow can I implement ansible with per-host passwords, securely?How do I add sudo permissions to a user created with Ansible?Display output with AnsibleAnsible/Capistrano with fixed sudo command (“sudo su -”)Ansible-galaxy not working with sudoAnsible “expect” module with sudo?Ansible adhoc command execute with sudo
Can my boyfriend, who lives in the UK and has a Polish passport, visit me in the USA?
Taking out number of subarrays from an array which contains all the distinct elements of that array
Why is 日本 read as "nihon" but not "nitsuhon"?
Why don't we use Cavea-B
The logic of invoking virtual functions is not clear (or it is method hiding?)
In an emergency, how do I find and share my position?
Does Git delete empty folders?
Is it insecure to have an ansible user with passwordless sudo?
Metal that glows when near pieces of itself
Does adding the 'precise' tag to daggers break anything?
What's /System/Volumes/Data?
Are there any plans for handling people floating away during an EVA?
How do you call it when two celestial bodies come as close to each other as they will in their current orbits?
Can you grapple/shove with the Hunter Ranger's Whirlwind Attack?
How big would a Daddy Longlegs Spider need to be to kill an average Human?
Starships without computers?
Why doesn't the Falcon-9 first stage use three legs to land?
Was 'help' pronounced starting with a vowel sound?
Co-author responds to email by mistake cc'ing the EiC
(Why) May a Beit Din refuse to bury a body in order to coerce a man into giving a divorce?
Are required indicators necessary for radio buttons?
How to persuade recruiters to send me the Job Description?
Why don't politicians push for fossil fuel reduction by pointing out their scarcity?
Sleeping solo in a double sleeping bag
Is it insecure to have an ansible user with passwordless sudo?
Is it OK to set up passwordless `sudo` on a cloud server?How to setup passwordless `sudo` on Linux?Our security auditor is an idiot. How do I give him the information he wants?Adding a user to an additional group using ansibleHow can I implement ansible with per-host passwords, securely?How do I add sudo permissions to a user created with Ansible?Display output with AnsibleAnsible/Capistrano with fixed sudo command (“sudo su -”)Ansible-galaxy not working with sudoAnsible “expect” module with sudo?Ansible adhoc command execute with sudo
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:
- disable root from logging in
- create a new user who can only log in with ssh (not password)
- add the new user to the wheel group, with passwordless sudo permission
I understand (1) and (2), but not (3).
Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?
I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?
linux security vps ansible
add a comment |
I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:
- disable root from logging in
- create a new user who can only log in with ssh (not password)
- add the new user to the wheel group, with passwordless sudo permission
I understand (1) and (2), but not (3).
Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?
I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?
linux security vps ansible
add a comment |
I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:
- disable root from logging in
- create a new user who can only log in with ssh (not password)
- add the new user to the wheel group, with passwordless sudo permission
I understand (1) and (2), but not (3).
Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?
I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?
linux security vps ansible
I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:
- disable root from logging in
- create a new user who can only log in with ssh (not password)
- add the new user to the wheel group, with passwordless sudo permission
I understand (1) and (2), but not (3).
Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?
I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?
linux security vps ansible
linux security vps ansible
asked 8 hours ago
lonixlonix
1344 bronze badges
1344 bronze badges
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
If the service account can do passwordless sudo, then you have to protect access to that account.
Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
2
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
add a comment |
The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.
As the account doesn't have a password, it is not possible to have sudo
ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.
add a comment |
The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.
New contributor
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980031%2fis-it-insecure-to-have-an-ansible-user-with-passwordless-sudo%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
If the service account can do passwordless sudo, then you have to protect access to that account.
Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
2
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
add a comment |
If the service account can do passwordless sudo, then you have to protect access to that account.
Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
2
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
add a comment |
If the service account can do passwordless sudo, then you have to protect access to that account.
Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.
If the service account can do passwordless sudo, then you have to protect access to that account.
Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.
answered 8 hours ago
Michael Hampton♦Michael Hampton
184k29 gold badges343 silver badges676 bronze badges
184k29 gold badges343 silver badges676 bronze badges
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
2
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
add a comment |
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
2
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
– lonix
7 hours ago
2
2
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
ssh key, passphrase protected with ssh-agent, is a reasonably good credential.
– John Mahowald
6 hours ago
add a comment |
The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.
As the account doesn't have a password, it is not possible to have sudo
ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.
add a comment |
The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.
As the account doesn't have a password, it is not possible to have sudo
ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.
add a comment |
The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.
As the account doesn't have a password, it is not possible to have sudo
ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.
The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.
As the account doesn't have a password, it is not possible to have sudo
ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.
answered 8 hours ago
RalfFriedlRalfFriedl
2,5334 gold badges9 silver badges15 bronze badges
2,5334 gold badges9 silver badges15 bronze badges
add a comment |
add a comment |
The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.
New contributor
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
add a comment |
The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.
New contributor
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
add a comment |
The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.
New contributor
The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.
New contributor
New contributor
answered 8 hours ago
NicoKlausNicoKlaus
111 bronze badge
111 bronze badge
New contributor
New contributor
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
add a comment |
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.
– John Mahowald
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Exactly, this is hopefully a prerequisite when working on productive systems.
– NicoKlaus
6 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
– Zoredache
2 hours ago
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980031%2fis-it-insecure-to-have-an-ansible-user-with-passwordless-sudo%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown