In that situation, one best practice is still to use SSH key auth, to make that the *only* method of logging into the server (i.e. disallow password auth), and then to set up one or more passwordless sudo accounts.
Opinions on this vary but the idea is that key-only auth + otherwise tight security is sufficient to protect shell access, and at that point, passwordless sudo is an acceptable tradeoff to make scripting easier. If you must use passwordful sudo and want the passwords stored in an encrypted fashion local to your fabfile, then I personally have no suggestions other than "it's just Python" :) There's lots of crypto libs out there with Python clients, so it comes down to what works best for your use case re: encrypting and then decrypting the password. All that Fabric cares about is that at the time it's executing `sudo()`, `env.password` is a plaintext value it can echo back to the server's password prompt. Best, Jeff On Fri, Apr 27, 2012 at 2:14 PM, JA <[email protected]> wrote: > Hi Jeff; > > The issue is that I need to have a method to store sudo passwords that > are encrypted. SSH keys will not get around this. > > Any ideas would be greatly appreciated! > > > On Fri, Apr 27, 2012 at 3:22 PM, Jeff Forcier <[email protected]> wrote: >> Hi J, >> >> env.password is a "lowest common denominator" method of preserving >> passwords you'd otherwise enter by hand. It's not designed for >> anything greater. >> >> If you want to start getting security conscious, the best practice is >> to use SSH private key authentication. Then you simply stop using >> env.password entirely and rely on distributing SSH keypair(s) to your >> users/servers. >> >> Fabric will load SSH agents and private keys stored in user home >> directories by default, and can be told to load additional keys with >> the -i flag or the env.key_filename settings -- check the docs for >> details. >> >> Best, >> Jeff >> >> On Fri, Apr 27, 2012 at 9:46 AM, JA <[email protected]> wrote: >>> Hi Everyone; >>> >>> I am looking for suggestions for the best way to handle passwords in >>> fabfiles. Specifically, I woud like to be able to generate a password >>> has of the user's sudo password and store this in the fabfile >>> (env.password) >>> >>> Has anyone done this? Any suggestions? :) >>> >>> Thanks! >>> J >>> >>> _______________________________________________ >>> Fab-user mailing list >>> [email protected] >>> https://lists.nongnu.org/mailman/listinfo/fab-user >> >> >> >> -- >> Jeff Forcier >> Unix sysadmin; Python/Ruby engineer >> http://bitprophet.org -- Jeff Forcier Unix sysadmin; Python/Ruby engineer http://bitprophet.org _______________________________________________ Fab-user mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/fab-user
