You can create encrypted passwords with Ansible playbooks and use it. You need to pass  --extra-vars  variable to ansible-playbook. Let us see two different methods to deal with sudo password.

The syntax is:

ansible-playbook -i inventory my.yml \
--extra-vars 'ansible_become_pass=YOUR-PASSWORD-HERE'



From the security perspective typing password at the CLI argument is not a good idea. Hence, you can force ansible-playbook to ask for the password:

ansible-playbook --ask-sudo-pass -i inventory my.yml


Here is my sample inventory file:

[cluster:vars]
k_ver="linux-image-4.13.0-26-generic"
ansible_user=vyga# ssh login user
ansible_become=yes  # use sudo 
ansible_become_method=sudo 
[cluster]
www1
www2
www3
db1
db2
cache1
cache2


Here is my my.yml file:

---
- hosts: cluster
  tasks:
          - name: Updating host using apt
            apt:
                    update_cache: yes
                    upgrade: dist
          - name: Update kernel to spefic version
            apt:
                    name: "{{ k_ver }}"
                    state: latest
          - name: Clean unwanted olderstuff
            apt:
                    autoremove: yes
                    purge: yes


I ran the command as follows:

ansible-playbook --ask-become-pass -i inventory my.yml

 

How to store and use sudo passwed in a vault (method # 2)

First, update your inventory file as follows:

[cluster:vars]
k_ver="linux-image-4.13.0-26-generic"
ansible_user=vyga# ssh login user
ansible_become=yes  # use sudo 
ansible_become_method=sudo 
ansible_become_pass='{{ my_cluser_sudo_pass }}'
[cluster]
www1
www2
www3
db1
db2
cache1
cache2

Next create a new encrypted data file named password.yml, run the following command:


$ ansible-vault create passwd.yml

Set the password for vault. After providing a password, the tool will start whatever editor you have defined with $EDITOR. Append the following


my_cluser_sudo_pass: your_sudo_password_for_remote_servers



Save and close the file in vi/vim. Finally run playbook as follows:


$ ansible-playbook -i inventory --ask-vault-pass --extra-vars '@passwd.yml' my.yml



How to edit my encrypted file again

ansible-vault edit passwd.yml


How to change the password for my encrypted file

ansible-vault rekey passwd.yml


Disable sudo login without password on all remote servers

Login to your remote box:


sudo -i

Make sure vyga user is part of sudo/wheel group that allowed to sudo using id command:


id vyga

Edit sudo config file using the visudo command:


sudo visudo

Make sure following line deleted or commented out:


vyga ALL=(ALL) NOPASSWD:ALL

Save and close the file.

 

Byla tato odpověď nápomocná? 1 Uživatelům pomohlo (1 Hlasů)