Hi all, I'm trying to use ansible in the following situation:
- key-based SSH login is *enabled on all hosts* - passwordless sudo is *disabled on all hosts* (NOPASSWD is not used in /etc*/*sudoers) - UNIX account (i.e. sudo) passwords are *not reused between hosts* and my question is: If this configuration is supported with ansible, how can I make it work? If this is not supported with ansible, then what is the recommended approach? I made a list of conflicting information on this point (including some from the ansible docs) for my ServerFault question<http://serverfault.com/questions/560106/how-can-i-implement-ansible-with-per-host-passwords-securely>— asked two weeks ago, and with 0 answers. In particular, I found GitHub issue #1227 <https://github.com/ansible/ansible/issues/1227>, which seems to be a feature request to support my exact use-case… closed a year ago with the comment "I think most people are sudoing from only one user account or using keys most of the time" (NB the *question is not about keys or user accounts, but sudo passwords*). In short (please see the SF question or the GH Issue for more details), using -K asks for a single password which is tried on all hosts (obviously failing if passwords aren't the same), and I can see no way of using command-line or configuration options to prompt for a password per-host. I am not keen to enable passwordless sudo on any of the hosts I wish to manage — or to reuse a password across multiple hosts — as these seem like large sacrifices in security. I really want to be entering N passwords during a playbook run involving N hosts. Many thanks in advance for your thoughts. Cheers, Carl -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
