Am 23.03.16 schrieb Vamberto Junior: > So in your opinion what is the best way ?
I am by far not an expert on ansible security. But after reading lots and lots of docs I went for the following: - Use SSH keys with passphrase - Store passphrase in ssh-agent if needed, and delete them afterwards - Do *not* allow the ansible_user passwordless sudo - Provide the sudo password (ansible_become_pass) in a host_vars file (host_vars/xyz for host xyz) - Encrypt that host_vars file with ansible vault - Store the ansible-vault passphase in a file on my machine I also do not use the same username on each host, but also store that in the host_vars file. I also do not use the same ssh port on each machine, you guess it: stored in a host_vars file (although this is security by obscurity, it keeps the logs clean, i.e. script kiddies do not fill the logs with stupid attempts) Just my 2 cents, YMMV. Johannes -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/56F83221.30904%40ojkastl.de. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
