On Monday, April 21, 2014 10:15:17 AM UTC-4, Adam Morris wrote: >>....My personal preference would be to create a user account for yourself (avoid a role account) give it a password, >> distribute an authorized key and require a password for sudo. This is marginally less convenient in that you need >> to provide a password but aids auditing and allows for multiple admins to run ansible as themselves.
Would this be secure? * Setup target machines to only accept logins with ssh keys * Set "PermitRootLogin no" in /etc/ssh/sshd_config * At bottom of /etc/ssh/sshd_config #Allow only the monitoring machine to connect through root Match Address #.#.#.# <--- where #.#.#.# is the IP of the ansible machine PermitRootLogin yes * Have a key WITH password in the ansible machine so one would need to put in the password, likely in ssh-agent, before the connections would work. Would that be safe? My environment, so far, is small enough that I am not doing cron jobs yet with ansible. Looking for the safest, yet manageable, way to get ansible implemented accross a couple of clients. Currently I have the root key without password, but thinking on adding it a password for safety. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c6356366-56a1-4d29-8c21-f0c7405ed418%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
