There's a few options. You can do a 'pre-seed' ssh key (added via Kickstart on in the VMware template; on AWS you'd add this as the instance is created). Ansible can use that to get in initially once the server is up and create more users/groups as desired. Another option would be a central key system like FreeIPA (Redhat do their own flavour with commercial support).
I've used both approaches and they work pretty well, but they won't really help you on an existing site. Typically on those you already have some form of remote access setup (how else are you managing the servers)? In that event, I'd allow existing admins to use their own personal accounts and grant them (ideally passwordless) sudo privileges. That way you get an audit trail 'for free' and can easily revoke a given admins privileges (a bit harder with a shared 'special' account). Essentially, Ansible as a 'power tool' to run over SSH, but respect all the security restrictions a typical SSH user would have, is a pretty easy sell to most big corps (compared to the Chef/Puppet approach of a god-level agent that wakes up every 30 minutes and potentially wreaks havoc). I'd generally suggest giving 'full' sudo access, not specific commands; for Ansible to work it needs to run Python and once you have that, you're generally able to do whatever you want to the server anyway. As I said, you still get to see what each user is up to in whatever central logging solution you have (provided you're shipping /var/log/secure somehow). On 19 June 2017 at 22:08, Chris Jefferies <ch...@freeranger.com> wrote: > Hello. > > I'm looking around for a best practice tutorial or document that describes > how to configure our ansible server to deploy our applications to about 20 > servers at a time. We call this group of servers a track. We have a > growing number of tracks. > > So I got Ansible installed but now I want to know how best to deploy keys to > the 20 remote hosts. How do I automate the secure deployment of ssh keys to > these hosts? > > I see notes about how to set up user security for remote hosts but those > are, as far as I can tell, assuming initial connectivity has been > established. > > Also, one of my work mates indicates that a secure remote host should have a > user (ansible perhaps?) with restricted access that can only execute > specific commands. I assume this happens by configuring the sudoers file. > If we go there, it seems I need to allow specific applications like yum, > python, file copies, etc for the ansible user. > > So it seems to be a chicken and egg problem and now we're back to lots of > pre-configuring each agentless host so that I can deploy apps and configs > from a central ansible server. > > > How is everyone dispensing ssh keys and setting up ansible users so that we > can have a secure and a not too tedious set up process. > > BTW, our setup is mainly Redhat 6.x and 7. > > Thanks in advance for any tips, > Chris. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ansible-project+unsubscr...@googlegroups.com. > To post to this group, send email to ansible-project@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/c035d0c8-952f-4046-8f0f-d54b0ed37310%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAK5eLPR%2BmHzbuXTFB%3DmG4ay1X0DBHUZivVLyF49M2oXn4coU6A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
