PRIVILEGES WITHOUT PASSWORDS
When running Ansible playbooks as cron jobs or with systemd unit files, entering a password when prompted is not going to be possible. This can be mitigated by editing the sudoers file on the Managed Node. When doing so, it is imperative that the visudo command is used, rather than simply editing the file with any browser. When visudo saves the file, syntax checking is carried out to ensure the file is not in a broken state. If the file was broken, we could lose all root access to the node. At the terminal of the Managed Node, enter sudo touch /etc/sudoers.d/ansible-user && sudo visudo -f /etc/sudoers.d/ansible-user and add the following line: ansible-user ALL=(ALL)
NOPASSWD:ALL
Now, save the file and close the browser. Test this has worked as expected by running a command with sudo – a password should no longer be required.
Switching off SSH access via a password helps to increase the security again after allowing password-less access to elevate to root when using the ansible-user account. To carry this out, log in to the Managed Node as a user that has access to run root commands and change directory to cd /etc/ssh/sshd_config.d . Now create a new file using sudo nano ansibleUserPasswordLoginDisable.conf . Once Nano has opened the file, add the following contents before saving the file with Ctrl+O > Enter > Ctrl+X:
Match User ansible-user PasswordAuthentication no
Now restart the SSH daemon by entering sudo systemctl restart sshd . This can then be tested by trying to connect to the server, via SSH, by using
ssh ansible-user@MANAGED_NODE_ IP_ADDRESS . This should return an authentication error message that shows that a cryptographic key has not been used.