It says: work on the file in the given path. Sudo commands on the other machine as well.Īnsible playbook to set passwordless sudo (We could use the -K and then it would ask for a password again, but instead of that we'd like to allow passwordless One machine where we changed the sudoers file worked as expected, the other one without the passwordless access We can now log out again and on the management machine run the ansible command again with -b but without -K So we wanted to make sure we can use sudo because of the change in the sudoers file and not because of this grace period. We needed to logout and login again for the verification because normally even if sudo requires a password it retains the access rights for a few minutes or until you log out. In order to verify that it works properly log out from the server (e.g. # See sudoers(5) for more information on "#include" directives: # Allow members of group sudo to execute any command # Members of the admin group may gain root privileges # See the man page for details on how to write a sudoers file.ĭefaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Please consider adding local content in /etc/sudoers.d/ instead of # This file MUST be edited with the 'visudo' command as root. The default version of file looks like this: It will ask for your password and then open the default editor which happens to be nano these days. Hence it is strongly recommended that you use the visudo command that will validate the syntax of the file before you save it. You can also edit the file with any editor, but if you save an incorrectly formatted version, you can easily lock yourself out from user root. It can be edited manually using the visudo command or we can ask Ansible to edit it. Who can run sudo command, what are theses command and whether password is required is controlled in the /etc/suduers file. Anyone who can access this machine would be able to control the remote servers. In this case we need to protect the user account of the manager machine that has its public ssh-key installed on the remote server. Instead we can configure the the remote user we use to be able to execute all, or certain commands using sudo even without supplying a password. Telling ansible ask for the password has the security advantage that only people who know what is the password can execute codeīut it can be a bit inconvenient on the long run. I guess if the passwords were different on the two machines then it will notice this and ask for the other password as well. It asks for the SUDO password and then uses that on both machines. $ ansible -i inventory.cfg all -a "grep ^root: /etc/shadow" -b -K We can use the -K or -ask-become-pass flag to tell Ansible to ask for the sudo password. "module_stdout": "sudo: a password is required\r\n", It tries to use sudo but fails because sudo needs a password. $ ansible -i inventory.cfg all -a "grep ^root: /etc/shadow" -b The "other" can be configured, but defaults to root which is rather convenient. Only user root can read the /etc/shadow file.Īdding the -b or -become flag tells Ansible to become another user on the remote server. Grep: /etc/shadow: Permission deniednon-zero return code $ ansible -i inventory.cfg all -a "grep ^root: /etc/shadow" The point is, that only user root has the rights to do this. We just want to display the information about user root in the /etch/shadow file using grep. This is not very sophisticated or useful command. Let's check if we can use Ansible at all. We are running on our manager machine as user foo and we are accessing the remote machine as user foo. We can login as an unprivileged user and then use sudo without providing a password.Īnsible_python_interpreter=/usr/bin/python3 We can login as an unprivileged user and then use sudo after providing the password of the user. We can log in to the remote server as user root using ssh keys. We can log in to the remote server as user root providing password on each login. Some of our options to execute commands as root
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |