On 07/06/2021 13:32, Elkmar wrote:
Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is "signed" by me (for
example has digital signature) and we can start it with ansible-playbook command. FileB
doesn't have signature so it can't do any changes on remote hosts. Is it possible?
I doubt that verifying the signature is a solution for preventing tampering ...
the user simply can ssh to the machine for example.
Regards
Racke
понедельник, 7 июня 2021 г. в 13:49:28 UTC+3, Antony Stone:
On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
> shell> cat test-003.yml
> - hosts: all
> gather_facts: false
> vars:
> my_filename: test-003.yml
> my_path: "{{ playbook_dir }}/{{ my_filename }}"
> my_hash_path: "{{ my_path }}.sha1"
> my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> tasks:
> - name: Test integrity of the playbook
> block:
> - stat:
> path: "{{ my_path }}"
> checksum_algorithm: sha1
> register: result
> - assert:
> that: result.stat.checksum == my_hash
> delegate_to: localhost
> run_once: true
That's a good enough way of checking that the hash of the playbook in
question
does match the stored hash, but...
> shell> sha1sum test-003.yml > test-003.yml.sha1
> shell> cat test-003.yml.sha1
> 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
...means that it's trivial for someone to take a playbook, modify it, and
create a new hash file.
I interpret "signed" in the original question to mean something that cannot
be
falsified by someone who is running the ansible commands.
Antony.
--
The more 'success' you get, the easier it is to be disappointed by not getting
things.
The only difference is that now no-one feels sorry for you.
- Matt Haig
Please reply to the list;
please *don't* CC me.
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/41f1f4f7-8162-78d4-46b7-7028a01bc2c0%40linuxia.de.
