Hi all,

I'm trying to use ansible in the following situation:

   - key-based SSH login is *enabled on all hosts*
   - passwordless sudo is *disabled on all hosts* (NOPASSWD is not used in 
   /etc*/*sudoers)
   - UNIX account (i.e. sudo) passwords are *not reused between hosts*

and my question is:

If this configuration is supported with ansible, how can I make it work?
If this is not supported with ansible, then what is the recommended 
approach?

I made a list of conflicting information on this point (including some from 
the ansible docs) for my ServerFault 
question<http://serverfault.com/questions/560106/how-can-i-implement-ansible-with-per-host-passwords-securely>—
 asked two weeks ago, and with 0 answers. In particular, I found GitHub 
issue #1227 <https://github.com/ansible/ansible/issues/1227>, which seems 
to be a feature request to support my exact use-case… closed a year ago 
with the comment "I think most people are sudoing from only one user 
account or using keys most of the time" (NB the *question is not about keys 
or user accounts, but sudo passwords*).

In short (please see the SF question or the GH Issue for more details), 
using -K asks for a single password which is tried on all hosts (obviously 
failing if passwords aren't the same), and I can see no way of using 
command-line or configuration options to prompt for a password per-host. 

I am not keen to enable passwordless sudo on any of the hosts I wish to 
manage — or to reuse a password across multiple hosts — as these seem like 
large sacrifices in security. I  really want to be entering N passwords 
during a playbook run involving N hosts.

Many thanks in advance for your thoughts.

Cheers,


Carl

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to