Thanks for your help Uditha Desilva :) On Wed, Mar 23, 2016 at 10:35 AM, Uditha Desilva <[email protected] > wrote:
> Looks like you've got 2 different questions there, 1) what's most secure > way, and 2) what's the "best" way. > > NOPASSWD:ALL is certainly the most convenient way, but it probably isn't > the most secure. (You would need to ensure that the SSH private key is well > secured, and probably only allowed to be used from a hardened bastion host > (look at "man ssh_config" and the "from=" parameter -- possibly also using > a "command=" wrapper to check that arbitrary commands (as opposed to sftp > and ansible-driven python and sudo invocations) are not accepted). > > If you don't want to do that, you can have Ansible prompt for the su or > sudo password (check out the --ask-pass and --ask-become options). That is > a little more secure, although it's quite a lot more "hassle", unless you > have a dynamic inventory source that can set the required > ansible_ssh_user/ansible_ssh_pass/ansible_become_method/ansible_become_pass > connection variables acquired from some "other source". > > On Wednesday, 23 March 2016 12:11:59 UTC, Vamberto Junior wrote: >> >> Hellow everybody >> >> I am a new user in Ansible's World so in my studies, I have some doubts >> about the best way to manage hosts with Ansible. >> >> My question is... What is the best securty way to manage hosts with >> Ansible ? >> >> Some docs tell to use ssh without pass from the server Ansible to host >> and use sudo without pass too (ansible ALL=NOPASSWD: ALL) >> >> So in your opinion what is the best way ? >> >> -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/WBoOnat-LFk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/a7e5bfbc-42c7-40eb-b2bb-c4efaabc2160%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/a7e5bfbc-42c7-40eb-b2bb-c4efaabc2160%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- Att Vamberto Rocha JR <http://www.linkedin.com/in/vambertojr> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF%3Dn%2BnOPMEcx5E3LrSy9mFdkGXi_7PyeVT5-5b4%3DL_KTbqjRyw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
