You can create encrypted passwords with Ansible playbooks and use it. You need to pass --extra-vars variable to ansible-playbook. Let us see two different methods to deal with sudo password.
The syntax is:
ansible-playbook -i inventory my.yml \
--extra-vars 'ansible_become_pass=YOUR-PASSWORD-HERE'
From the security perspective typing password at the CLI argument is not a good idea. Hence, you can force ansible-playbook to ask for the password:
ansible-playbook --ask-sudo-pass -i inventory my.yml
Here is my sample inventory file:
[cluster:vars] k_ver="linux-image-4.13.0-26-generic" ansible_user=vyga# ssh login user ansible_become=yes # use sudo ansible_become_method=sudo [cluster] www1 www2 www3 db1 db2 cache1 cache2
Here is my my.yml file:
--- - hosts: cluster tasks: - name: Updating host using apt apt: update_cache: yes upgrade: dist - name: Update kernel to spefic version apt: name: "{{ k_ver }}" state: latest - name: Clean unwanted olderstuff apt: autoremove: yes purge: yes
I ran the command as follows:
ansible-playbook --ask-become-pass -i inventory my.yml
How to store and use sudo passwed in a vault (method # 2)
First, update your inventory file as follows:
[cluster:vars] k_ver="linux-image-4.13.0-26-generic" ansible_user=vyga# ssh login user ansible_become=yes # use sudo ansible_become_method=sudo ansible_become_pass='{{ my_cluser_sudo_pass }}' [cluster] www1 www2 www3 db1 db2 cache1 cache2
Next create a new encrypted data file named password.yml, run the following command:
$ ansible-vault create passwd.yml
Set the password for vault. After providing a password, the tool will start whatever editor you have defined with $EDITOR. Append the following
my_cluser_sudo_pass: your_sudo_password_for_remote_servers
Save and close the file in vi/vim. Finally run playbook as follows:
$ ansible-playbook -i inventory --ask-vault-pass --extra-vars '@passwd.yml' my.yml
How to edit my encrypted file again
ansible-vault edit passwd.yml
How to change the password for my encrypted file
ansible-vault rekey passwd.yml
Disable sudo login without password on all remote servers
Login to your remote box:
sudo -i
Make sure vyga user is part of sudo/wheel group that allowed to sudo using id command:
id vyga
Edit sudo config file using the visudo command:
sudo visudo
Make sure following line deleted or commented out:
vyga ALL=(ALL) NOPASSWD:ALL
Save and close the file.