Re: [ansible-project] Opportunity to use signed playbook.
On 07/06/2021 13:32, Elkmar wrote:
Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is "signed" by me (for
example has digital signature) and we can start it with ansible-playbook command. FileB
doesn't have signature so it can't do any changes on remote hosts. Is it possible?
I doubt that verifying the signature is a solution for preventing tampering ...
the user simply can ssh to the machine for example.
Regards
Racke
понедельник, 7 июня 2021 г. в 13:49:28 UTC+3, Antony Stone:
On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
> shell> cat test-003.yml
> - hosts: all
> gather_facts: false
> vars:
> my_filename: test-003.yml
> my_path: "{{ playbook_dir }}/{{ my_filename }}"
> my_hash_path: "{{ my_path }}.sha1"
> my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> tasks:
> - name: Test integrity of the playbook
> block:
> - stat:
> path: "{{ my_path }}"
> checksum_algorithm: sha1
> register: result
> - assert:
> that: result.stat.checksum == my_hash
> delegate_to: localhost
> run_once: true
That's a good enough way of checking that the hash of the playbook in
question
does match the stored hash, but...
> shell> sha1sum test-003.yml > test-003.yml.sha1
> shell> cat test-003.yml.sha1
> 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
...means that it's trivial for someone to take a playbook, modify it, and
create a new hash file.
I interpret "signed" in the original question to mean something that cannot
be
falsified by someone who is running the ansible commands.
Antony.
--
The more 'success' you get, the easier it is to be disappointed by not getting
things.
The only difference is that now no-one feels sorry for you.
- Matt Haig
Please reply to the list;
please *don't* CC me.
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ansible-project+unsubscr...@googlegroups.com
.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com
.
--
Ecommerce and Linux consulting + Perl and web application programming.
Debian and Sympa administration.
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/41f1f4f7-8162-78d4-46b7-7028a01bc2c0%40linuxia.de.
Re: [ansible-project] Opportunity to use signed playbook.
On Mon, 7 Jun 2021 12:48:57 +0200 Antony Stone wrote: > I interpret "signed" in the original question to mean something that cannot > be > falsified by someone who is running the ansible commands. Locally, you might want to set the ownership and the permissions as appropriate. Use get_url if the signatures are stored remotely https://docs.ansible.com/ansible/latest/collections/ansible/builtin/get_url_module.html -- Vladimir Botka -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20210607133736.525826e0%40gmail.com. pgpHaXnQgtD8y.pgp Description: OpenPGP digital signature
Re: [ansible-project] Opportunity to use signed playbook.
Yep, Antony right.
The idea is as follows: we have fileA and fileB. FileA is "signed" by me
(for example has digital signature) and we can start it with
ansible-playbook command. FileB doesn't have signature so it can't do any
changes on remote hosts. Is it possible?
понедельник, 7 июня 2021 г. в 13:49:28 UTC+3, Antony Stone:
> On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
>
> > shell> cat test-003.yml
> > - hosts: all
> > gather_facts: false
> > vars:
> > my_filename: test-003.yml
> > my_path: "{{ playbook_dir }}/{{ my_filename }}"
> > my_hash_path: "{{ my_path }}.sha1"
> > my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> > tasks:
> > - name: Test integrity of the playbook
> > block:
> > - stat:
> > path: "{{ my_path }}"
> > checksum_algorithm: sha1
> > register: result
> > - assert:
> > that: result.stat.checksum == my_hash
> > delegate_to: localhost
> > run_once: true
>
> That's a good enough way of checking that the hash of the playbook in
> question
> does match the stored hash, but...
>
> > shell> sha1sum test-003.yml > test-003.yml.sha1
> > shell> cat test-003.yml.sha1
> > 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
>
> ...means that it's trivial for someone to take a playbook, modify it, and
> create a new hash file.
>
> I interpret "signed" in the original question to mean something that
> cannot be
> falsified by someone who is running the ansible commands.
>
>
> Antony.
>
> --
> The more 'success' you get, the easier it is to be disappointed by not
> getting
> things.
> The only difference is that now no-one feels sorry for you.
>
> - Matt Haig
>
> Please reply to the list;
> please *don't* CC me.
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/8c93e9ff-5675-4847-b493-dabe145bac32n%40googlegroups.com.
Re: [ansible-project] Opportunity to use signed playbook.
On Monday 07 June 2021 at 12:44:23, Vladimir Botka wrote:
> shell> cat test-003.yml
> - hosts: all
> gather_facts: false
> vars:
> my_filename: test-003.yml
> my_path: "{{ playbook_dir }}/{{ my_filename }}"
> my_hash_path: "{{ my_path }}.sha1"
> my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
> tasks:
> - name: Test integrity of the playbook
> block:
> - stat:
> path: "{{ my_path }}"
> checksum_algorithm: sha1
> register: result
> - assert:
> that: result.stat.checksum == my_hash
> delegate_to: localhost
> run_once: true
That's a good enough way of checking that the hash of the playbook in question
does match the stored hash, but...
> shell> sha1sum test-003.yml > test-003.yml.sha1
> shell> cat test-003.yml.sha1
> 9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
...means that it's trivial for someone to take a playbook, modify it, and
create a new hash file.
I interpret "signed" in the original question to mean something that cannot be
falsified by someone who is running the ansible commands.
Antony.
--
The more 'success' you get, the easier it is to be disappointed by not getting
things.
The only difference is that now no-one feels sorry for you.
- Matt Haig
Please reply to the list;
please *don't* CC me.
Re: [ansible-project] Opportunity to use signed playbook.
On Mon, 7 Jun 2021 02:48:39 -0700 (PDT)
Elkmar wrote:
> ... check a playbook authenticity before execution
For example
shell> cat test-003.yml
- hosts: all
gather_facts: false
vars:
my_filename: test-003.yml
my_path: "{{ playbook_dir }}/{{ my_filename }}"
my_hash_path: "{{ my_path }}.sha1"
my_hash: "{{ (lookup('file', my_hash_path).split()).0 }}"
tasks:
- name: Test integrity of the playbook
block:
- stat:
path: "{{ my_path }}"
checksum_algorithm: sha1
register: result
- assert:
that: result.stat.checksum == my_hash
delegate_to: localhost
run_once: true
shell> sha1sum test-003.yml > test-003.yml.sha1
shell> cat test-003.yml.sha1
9762fde5aa52f72dfcf064fa3062fd41540573af test-003.yml
shell> ansible-playbook test-003.yml
PLAY [all]
*
TASK [stat]
*
ok: [test_11]
TASK [assert]
*
ok: [test_11] => changed=false msg: All assertions passed
If the hash differs the playbook will fail
TASK [assert]
*
fatal: [test_11]: FAILED! => changed=false assertion:
result.stat.checksum == my_hash evaluated_to: false
msg: Assertion failed
--
Vladimir Botka
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/20210607124423.6d4eacf1%40gmail.com.
pgppBz7pR8Hjg.pgp
Description: OpenPGP digital signature
