![]() # This file MUST be edited with the 'visudo' command as root. The default version of file looks like this: It will ask for your password and then open the default editor which happens to be nano these days. Hence it is strongly recommended that you use the visudo command that will validate the syntax of the file before you save it. You can also edit the file with any editor, but if you save an incorrectly formatted version, you can easily lock yourself out from user root. ![]() It can be edited manually using the visudo command or we can ask Ansible to edit it. Who can run sudo command, what are theses command and whether password is required is controlled in the /etc/suduers file. Anyone who can access this machine would be able to control the remote servers. ![]() In this case we need to protect the user account of the manager machine that has its public ssh-key installed on the remote server. Instead we can configure the the remote user we use to be able to execute all, or certain commands using sudo even without supplying a password. Telling ansible ask for the password has the security advantage that only people who know what is the password can execute codeīut it can be a bit inconvenient on the long run. I guess if the passwords were different on the two machines then it will notice this and ask for the other password as well. It asks for the SUDO password and then uses that on both machines. $ ansible -i inventory.cfg all -a "grep ^root: /etc/shadow" -b -K We can use the -K or -ask-become-pass flag to tell Ansible to ask for the sudo password. "module_stdout": "sudo: a password is required\r\n", It tries to use sudo but fails because sudo needs a password. $ ansible -i inventory.cfg all -a "grep ^root: /etc/shadow" -b The "other" can be configured, but defaults to root which is rather convenient. Only user root can read the /etc/shadow file.Īdding the -b or -become flag tells Ansible to become another user on the remote server. Grep: /etc/shadow: Permission deniednon-zero return code $ ansible -i inventory.cfg all -a "grep ^root: /etc/shadow" The point is, that only user root has the rights to do this. We just want to display the information about user root in the /etch/shadow file using grep. This is not very sophisticated or useful command. Let's check if we can use Ansible at all. We are running on our manager machine as user foo and we are accessing the remote machine as user foo. We can login as an unprivileged user and then use sudo without providing a password.Īnsible_python_interpreter=/usr/bin/python3 We can login as an unprivileged user and then use sudo after providing the password of the user. We can log in to the remote server as user root using ssh keys. We can log in to the remote server as user root providing password on each login. Some of our options to execute commands as root
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |