Looks like you've got 2 different questions there, 1) what's most secure way, and 2) what's the "best" way.
NOPASSWD:ALL is certainly the most convenient way, but it probably isn't the most secure. (You would need to ensure that the SSH private key is well secured, and probably only allowed to be used from a hardened bastion host (look at "man ssh_config" and the "from=" parameter -- possibly also using a "command=" wrapper to check that arbitrary commands (as opposed to sftp and ansible-driven python and sudo invocations) are not accepted). If you don't want to do that, you can have Ansible prompt for the su or sudo password (check out the --ask-pass and --ask-become options). That is a little more secure, although it's quite a lot more "hassle", unless you have a dynamic inventory source that can set the required ansible_ssh_user/ansible_ssh_pass/ansible_become_method/ansible_become_pass connection variables acquired from some "other source". On Wednesday, 23 March 2016 12:11:59 UTC, Vamberto Junior wrote: > > Hellow everybody > > I am a new user in Ansible's World so in my studies, I have some doubts > about the best way to manage hosts with Ansible. > > My question is... What is the best securty way to manage hosts with > Ansible ? > > Some docs tell to use ssh without pass from the server Ansible to host and > use sudo without pass too (ansible ALL=NOPASSWD: ALL) > > So in your opinion what is the best way ? > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a7e5bfbc-42c7-40eb-b2bb-c4efaabc2160%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
