Thanks Johannes Kastl for the help :) On Sun, Mar 27, 2016 at 4:18 PM, Johannes Kastl <[email protected]> wrote:
> Am 23.03.16 schrieb Vamberto Junior: > > > So in your opinion what is the best way ? > > I am by far not an expert on ansible security. But after reading lots > and lots of docs I went for the following: > > - Use SSH keys with passphrase > - Store passphrase in ssh-agent if needed, and delete them afterwards > - Do *not* allow the ansible_user passwordless sudo > - Provide the sudo password (ansible_become_pass) in a host_vars file > (host_vars/xyz for host xyz) > - Encrypt that host_vars file with ansible vault > - Store the ansible-vault passphase in a file on my machine > > I also do not use the same username on each host, but also store that > in the host_vars file. > I also do not use the same ssh port on each machine, you guess it: > stored in a host_vars file (although this is security by obscurity, it > keeps the logs clean, i.e. script kiddies do not fill the logs with > stupid attempts) > > Just my 2 cents, YMMV. > > Johannes > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ansible Project" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ansible-project/WBoOnat-LFk/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/56F83221.30904%40ojkastl.de > . > For more options, visit https://groups.google.com/d/optout. > -- Att Vamberto Rocha JR <http://www.linkedin.com/in/vambertojr> -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAF%3Dn%2BnP6Di%2Bs%2BESFMC5uwbScP54y%3D%3DFPifKP5hFO%2BzjTW-H9jw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
