Is it insecure to have an ansible user with passwordless sudo?Is it OK to set up passwordless `sudo` on a cloud server?How to setup passwordless `sudo` on Linux?Our security auditor is an idiot. How do I give him the information he wants?Adding a user to an additional group using ansibleHow can I implement ansible with per-host passwords, securely?How do I add sudo permissions to a user created with Ansible?Display output with AnsibleAnsible/Capistrano with fixed sudo command (“sudo su -”)Ansible-galaxy not working with sudoAnsible “expect” module with sudo?Ansible adhoc command execute with sudo

Can my boyfriend, who lives in the UK and has a Polish passport, visit me in the USA?

Taking out number of subarrays from an array which contains all the distinct elements of that array

Why is 日本 read as "nihon" but not "nitsuhon"?

Why don't we use Cavea-B

The logic of invoking virtual functions is not clear (or it is method hiding?)

In an emergency, how do I find and share my position?

Does Git delete empty folders?

Is it insecure to have an ansible user with passwordless sudo?

Metal that glows when near pieces of itself

Does adding the 'precise' tag to daggers break anything?

What's /System/Volumes/Data?

Are there any plans for handling people floating away during an EVA?

How do you call it when two celestial bodies come as close to each other as they will in their current orbits?

Can you grapple/shove with the Hunter Ranger's Whirlwind Attack?

How big would a Daddy Longlegs Spider need to be to kill an average Human?

Starships without computers?

Why doesn't the Falcon-9 first stage use three legs to land?

Was 'help' pronounced starting with a vowel sound?

Co-author responds to email by mistake cc'ing the EiC

(Why) May a Beit Din refuse to bury a body in order to coerce a man into giving a divorce?

Are required indicators necessary for radio buttons?

How to persuade recruiters to send me the Job Description?

Why don't politicians push for fossil fuel reduction by pointing out their scarcity?

Sleeping solo in a double sleeping bag



Is it insecure to have an ansible user with passwordless sudo?


Is it OK to set up passwordless `sudo` on a cloud server?How to setup passwordless `sudo` on Linux?Our security auditor is an idiot. How do I give him the information he wants?Adding a user to an additional group using ansibleHow can I implement ansible with per-host passwords, securely?How do I add sudo permissions to a user created with Ansible?Display output with AnsibleAnsible/Capistrano with fixed sudo command (“sudo su -”)Ansible-galaxy not working with sudoAnsible “expect” module with sudo?Ansible adhoc command execute with sudo






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1















I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:



  1. disable root from logging in

  2. create a new user who can only log in with ssh (not password)

  3. add the new user to the wheel group, with passwordless sudo permission

I understand (1) and (2), but not (3).



Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?



I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?










share|improve this question






























    1















    I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:



    1. disable root from logging in

    2. create a new user who can only log in with ssh (not password)

    3. add the new user to the wheel group, with passwordless sudo permission

    I understand (1) and (2), but not (3).



    Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?



    I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?










    share|improve this question


























      1












      1








      1








      I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:



      1. disable root from logging in

      2. create a new user who can only log in with ssh (not password)

      3. add the new user to the wheel group, with passwordless sudo permission

      I understand (1) and (2), but not (3).



      Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?



      I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?










      share|improve this question














      I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:



      1. disable root from logging in

      2. create a new user who can only log in with ssh (not password)

      3. add the new user to the wheel group, with passwordless sudo permission

      I understand (1) and (2), but not (3).



      Surely passwordless sudo is just like logging in as root? I understand the benefit (convenience), but isn't this highly insecure?



      I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?







      linux security vps ansible






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 8 hours ago









      lonixlonix

      1344 bronze badges




      1344 bronze badges























          3 Answers
          3






          active

          oldest

          votes


















          4














          If the service account can do passwordless sudo, then you have to protect access to that account.



          Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.






          share|improve this answer

























          • So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

            – lonix
            7 hours ago











          • So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

            – lonix
            7 hours ago






          • 2





            ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

            – John Mahowald
            6 hours ago


















          1














          The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.



          As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.






          share|improve this answer
































            1














            The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.






            share|improve this answer








            New contributor



            NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















            • Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

              – John Mahowald
              6 hours ago











            • Exactly, this is hopefully a prerequisite when working on productive systems.

              – NicoKlaus
              6 hours ago











            • Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

              – Zoredache
              2 hours ago













            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980031%2fis-it-insecure-to-have-an-ansible-user-with-passwordless-sudo%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            3 Answers
            3






            active

            oldest

            votes








            3 Answers
            3






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            4














            If the service account can do passwordless sudo, then you have to protect access to that account.



            Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.






            share|improve this answer

























            • So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

              – lonix
              7 hours ago











            • So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

              – lonix
              7 hours ago






            • 2





              ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

              – John Mahowald
              6 hours ago















            4














            If the service account can do passwordless sudo, then you have to protect access to that account.



            Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.






            share|improve this answer

























            • So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

              – lonix
              7 hours ago











            • So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

              – lonix
              7 hours ago






            • 2





              ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

              – John Mahowald
              6 hours ago













            4












            4








            4







            If the service account can do passwordless sudo, then you have to protect access to that account.



            Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.






            share|improve this answer













            If the service account can do passwordless sudo, then you have to protect access to that account.



            Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 8 hours ago









            Michael HamptonMichael Hampton

            184k29 gold badges343 silver badges676 bronze badges




            184k29 gold badges343 silver badges676 bronze badges















            • So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

              – lonix
              7 hours ago











            • So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

              – lonix
              7 hours ago






            • 2





              ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

              – John Mahowald
              6 hours ago

















            • So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

              – lonix
              7 hours ago











            • So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

              – lonix
              7 hours ago






            • 2





              ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

              – John Mahowald
              6 hours ago
















            So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

            – lonix
            7 hours ago





            So I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.

            – lonix
            7 hours ago













            So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

            – lonix
            7 hours ago





            So you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.

            – lonix
            7 hours ago




            2




            2





            ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

            – John Mahowald
            6 hours ago





            ssh key, passphrase protected with ssh-agent, is a reasonably good credential.

            – John Mahowald
            6 hours ago













            1














            The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.



            As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.






            share|improve this answer





























              1














              The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.



              As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.






              share|improve this answer



























                1












                1








                1







                The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.



                As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.






                share|improve this answer













                The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.



                As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered 8 hours ago









                RalfFriedlRalfFriedl

                2,5334 gold badges9 silver badges15 bronze badges




                2,5334 gold badges9 silver badges15 bronze badges
























                    1














                    The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.






                    share|improve this answer








                    New contributor



                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





















                    • Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

                      – John Mahowald
                      6 hours ago











                    • Exactly, this is hopefully a prerequisite when working on productive systems.

                      – NicoKlaus
                      6 hours ago











                    • Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

                      – Zoredache
                      2 hours ago















                    1














                    The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.






                    share|improve this answer








                    New contributor



                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





















                    • Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

                      – John Mahowald
                      6 hours ago











                    • Exactly, this is hopefully a prerequisite when working on productive systems.

                      – NicoKlaus
                      6 hours ago











                    • Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

                      – Zoredache
                      2 hours ago













                    1












                    1








                    1







                    The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.






                    share|improve this answer








                    New contributor



                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.







                    share|improve this answer








                    New contributor



                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.








                    share|improve this answer



                    share|improve this answer






                    New contributor



                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.








                    answered 8 hours ago









                    NicoKlausNicoKlaus

                    111 bronze badge




                    111 bronze badge




                    New contributor



                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.




                    New contributor




                    NicoKlaus is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.

















                    • Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

                      – John Mahowald
                      6 hours ago











                    • Exactly, this is hopefully a prerequisite when working on productive systems.

                      – NicoKlaus
                      6 hours ago











                    • Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

                      – Zoredache
                      2 hours ago

















                    • Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

                      – John Mahowald
                      6 hours ago











                    • Exactly, this is hopefully a prerequisite when working on productive systems.

                      – NicoKlaus
                      6 hours ago











                    • Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

                      – Zoredache
                      2 hours ago
















                    Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

                    – John Mahowald
                    6 hours ago





                    Playbooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts.

                    – John Mahowald
                    6 hours ago













                    Exactly, this is hopefully a prerequisite when working on productive systems.

                    – NicoKlaus
                    6 hours ago





                    Exactly, this is hopefully a prerequisite when working on productive systems.

                    – NicoKlaus
                    6 hours ago













                    Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

                    – Zoredache
                    2 hours ago





                    Ansible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.

                    – Zoredache
                    2 hours ago

















                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f980031%2fis-it-insecure-to-have-an-ansible-user-with-passwordless-sudo%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                    Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                    Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її