Apparently installing sudo is less of a risk but we also put support into consideration, since sudo for AIX considered open source software and will not be officially supported by IBM, which required by my organization. Went through one of the article <http://kairo.eti.br/aix-powervm-automation-with-ansible.html#distributing-keys> sourced from AIX working group, the become plugin was recommended, which is a tool leverage on privilege escalation command (sudo | su | pbrun | pfexec | doas | dzdo | ksu | runas | machinectl).
So now it leave us with 2 options: 1. as our vendor proposed, to enable root login through SSH with no password, and authenticate with keys; 2. To rely on Ansible become plugin with become method su (since sudo is not an option). With that I would like to seek advice on which will be the better in terms of security. Not sure whether this becomes an opinion based question and a bit out of topic though, but I appreciate any input. Thanks! On Tuesday, 12 November 2019 23:54:08 UTC+8, Sam Doran wrote: > > Ansible does not need to log in as root. Most environments log in as a > user account that has full sudo privileges. > > I would argue that installing sudo is less of a risk than allowing direct > root login via ssh, but I have never administered an AIX environment. > > You could reach out to the AIX working group > <https://github.com/ansible/community/wiki/AIX> and see if they are able > to offer any guidance. > > --- > > Sam > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/154f420f-f7e0-4851-ac7b-75470edd6d4d%40googlegroups.com.
