Is it insecure to have an ansible user with passwordless sudo?
Solution 1
If the service account can do passwordless sudo, then you have to protect access to that account.
Having the account not have a password, and using only ssh keys to log in to it, accomplishes this, provided you can keep the ssh private key secure as well.
Solution 2
The new user created in (2) can only log in with the SSH key, no password. The SSH key gives indirect root access. So this is equivalent to just allowing root login with a key.
As the account doesn't have a password, it is not possible to have sudo ask for a password. Also Ansible needs to be able to execute commands. Having an additional password to provide at the same place as the key would not increase security.
Solution 3
The problem is that ansible is for administrators and automation, so if you need to enter a password to run a script is not really the best way. Also it's not secure to store the password for sudo in a file or database and ansible get it every time it run the playbook. So the combination of passwordless sudo and the authentication with ssh Keys is the best method to ensure security and no right problems by running the playbook. Also you an administrator and know what you programming in the playbook. So the playbook can not destroy your servers.
Related videos on Youtube
10 : 56
06 : 51
07 : 11
09 : 20
02 : 16
lonix
Updated on September 18, 2022Comments
-
lonix over 1 year
I'm new to Ansible. Most VPS provisioning guides I've seen so far do this:
- disable root from logging in
- create a new user who can only log in with
ssh(not password) - add the new user to the
wheelgroup, with passwordless sudo permission
I understand (1) and (2), but not (3).
Surely passwordless
sudois just like logging in asroot? I understand the benefit (convenience), but isn't this highly insecure?I realise that admins run their networks in various ways, and so this could be said to be "subjective", but this is a VERY common practice, it's even shown in various official ansible docs as well as guides published by hosting companies. It goes against common sense. What is the logic behind it?
-
Axel over 4 yearsAnsible is intended for automating administrative tasks, so generally needs top-level (root) level access hence "passwordless sudo". If you only need it to run a subset of the commands available on your system though, you can lock it down to just those commands with a more detailed sudo configuration. Passwordless sudo does not necessarily mean access to everything root can do (though this becomes difficult to enforce when you realise the user can potentially modify your sudo config via sudo to give themselves greater control...).
-
lonix over 4 years@DavidSpillett I was wondering about that - i.e. defining which sudo commands to allow in the sudoers file... but I read somewhere that ansible does everything by interpreting via complex python commands, and that that approach would get messy fast.
-
lonix over 4 yearsSo I'm "sort of" right in feeling perturbed by this convention - and yet, this is the convention for ansible, out of necessity/pragmatism.
-
lonix over 4 yearsSo you're saying that I essentially "move" core security from the VPS to my local system, which contains the ansible account's ssh key? In which case, the weak point is not the VPS itself, rather, it's me! And I need to be extra vigilant in protecting that ssh key, in exchange for the convenience that ansible automation gives me.
-
John Mahowald over 4 yearsPlaybooks can destroy your systems, but if you use separate test environment only keys, that will not destroy the production hosts. -
John Mahowald over 4 yearsssh key, passphrase protected with ssh-agent, is a reasonably good credential.
-
NicoKlaus over 4 yearsExactly, this is hopefully a prerequisite when working on productive systems. -
Zoredache over 4 yearsAnsible has 'ansible-vault', and plugins/modules/libraries that permit storing of secrets in many 3rd party secret storage systems like bitwarden, hashicorp vault, keepass,etc.
-
Giacomo Alzetta over 4 years@lonix All secured systems need credentials. Secured systems are at most as secure as the measures you put in securing these credentials, since having those gives 100% access to them. So yes, you cannot expect to secure your VPS if you don't secure properly your SSH key (or root password or whatever). The fact that you configure passwordless sudo means nothing from this point of view, enabling sudo with password doesn't change the fact that it is essential that you secure the SSH key.
-
lonix over 4 years@GiacomoAlzetta I know that, what I meant above is that the responsibility is being shifted from the remote to the local machine. Since sudo escalation is done without password, the weak point becomes local.
-
Jim L. over 4 years@lonix > "the weak point is not the VPS itself, rather, it's me!" This is true in all cases, anyway. The weakest link in creating a secure system is usually the administrator. But that's a good, empowering statement. As your skills and practices improve, your security improves along with it. The level of security you achieve is directly under your own control.
