Add a key, that would make it also safer for you, since you would need to type a password before doing any changes on production servers.
What I would recommend though is that you just close down SSH in your firewall to all except addresses which are going to be used as managing servers. Either close it down with IPtables, or even better in your network firewall or L3 switch with ACLs. On Monday, April 21, 2014 6:02:07 PM UTC+2, Francisco Reyes wrote: > > On Monday, April 21, 2014 10:15:17 AM UTC-4, Adam Morris wrote: > >>....My personal preference would be to create a user account for > yourself (avoid a role account) give it a password, > >> distribute an authorized key and require a password for sudo. This is > marginally less convenient in that you need > >> to provide a password but aids auditing and allows for multiple admins > to run ansible as themselves. > > Would this be secure? > * Setup target machines to only accept logins with ssh keys > * Set "PermitRootLogin no" in /etc/ssh/sshd_config > * At bottom of /etc/ssh/sshd_config > #Allow only the monitoring machine to connect through root > Match Address #.#.#.# <--- where #.#.#.# is the IP of the ansible machine > PermitRootLogin yes > > * Have a key WITH password in the ansible machine so one would need to put > in the password, likely in ssh-agent, before the connections would work. > > Would that be safe? > > My environment, so far, is small enough that I am not doing cron jobs yet > with ansible. Looking for the safest, yet manageable, way to get ansible > implemented accross a couple of clients. Currently I have the root key > without password, but thinking on adding it a password for safety. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/eda4eef3-e4d0-4dca-8b53-b43f6e416e26%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
