Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ansible should ask for sudo password for all users in a playbook #1227

Closed
dferrin opened this issue Oct 4, 2012 · 18 comments
Closed

Ansible should ask for sudo password for all users in a playbook #1227

dferrin opened this issue Oct 4, 2012 · 18 comments
Milestone

Comments

@dferrin
Copy link

@dferrin dferrin commented Oct 4, 2012

Let met present you the following example :

sandboxy.yml playbook


  • hosts: backup
    sudo: True
    sudo_user: david
    gather_facts: False
  • hosts: main
    sudo: True
    sudo_user: foofoo
    gather_facts: False

When I run ansible-playbook sandbox.yml -K

It correctly asks me for the first sudo password but then when it reaches the second playbook with the host main it hangs because it tries to apply the first specified sudo password to foofoo@main.

Thanks.

@mpdehaan

This comment has been minimized.

Copy link
Contributor

@mpdehaan mpdehaan commented Oct 4, 2012

do you mean instead 'should ask for sudo user password for all users in the playbook?'

@dferrin

This comment has been minimized.

Copy link
Author

@dferrin dferrin commented Oct 4, 2012

Yes. Sorry.

@mpdehaan

This comment has been minimized.

Copy link
Contributor

@mpdehaan mpdehaan commented Oct 4, 2012

no problem. This will probably be in the 0.9 release

@dferrin

This comment has been minimized.

Copy link
Author

@dferrin dferrin commented Oct 5, 2012

Also, could it be possible to add an sudo_ask_pass option to the playbooks?

host: main
sudo: True
sudo_user: foofoo
sudo_ask_pass: True

That way, a user doesn't have to add the -K flag. Right now, when you run it without the -K flag, it just hangs there without telling the user what happened. That way, it could be more explicit.

Maybe, the sudo_ask_pass: True could be the default value when there's a sudo_user option that is set.

@mpdehaan

This comment has been minimized.

Copy link
Contributor

@mpdehaan mpdehaan commented Oct 5, 2012

Yes, it could probably be done on a per user basis, default False

-K would default all plays with sudo_user set to True

If this is something you would like to work on, patches for 0.9 would be
great.

You will have to contend not only with plays in the top level playbook, but
also playbooks imported from others.

Further, it should ask for all passwords up front, rather than when it gets
to the particular play, and only ask for the password for each user once.

@dferrin

This comment has been minimized.

Copy link
Author

@dferrin dferrin commented Oct 8, 2012

I have a limited experience in Python. I can't work on it right now, but I'll keep you posted if I start working on it.

@bcoca

This comment has been minimized.

Copy link
Member

@bcoca bcoca commented Nov 2, 2012

I looked into this, currently remote_user is a property of the runner and not of the connection, we'll can either change it per connection or just switch it (it would make implementing ansible_ssh_user easier).

Once that is done, just minor changes to play processing, setting up dictionaries remote_users[username] = password and prompt before any play execution per user, the prompt function would also need to display username for both ssh and sudo cases, which I think we could simplify as they are the same password 99% of the time (I've only encountered such a weird pam setup once).

The one case this doesn't cover is different passwords for the same user on different hosts (ansible_user_password?).

If that sounds good I should be able to tackle this over the weekend.

@mpdehaan

This comment has been minimized.

Copy link
Contributor

@mpdehaan mpdehaan commented Nov 2, 2012

This actually isn't about per connection.

This is really about asking about it per user in a play, which we can do
because each play uses it's own Runner instances.

I do not believe in ansible_ssh_user for the most part because you can
target different users for different plays.

What you say about prompt is correct though.

Let's not worry about adding any new variables and just make it so that for
playbooks (only) if you use the password prompt features it looks for all
the users used in the playbook and then asks for their passwords

Note that this will have to template things out with globals and such, such
that things like --extra-vars are evaluated, people may be doing "user:
$user" and so on.

So yeah, it's a bit complicated...

On Fri, Nov 2, 2012 at 9:50 AM, Brian Coca notifications@github.com wrote:

I looked into this, currently remote_user is a property of the runner and
not of the connection, we'll can either change it per connection or just
switch it (it would make implementing ansible_ssh_user easier).

Once that is done, just minor changes to play processing, setting up
dictionaries remote_users[username] = password and prompt before any play
execution per user, the prompt function would also need to display username
for both ssh and sudo cases, which I think we could simplify as they are
the same password 99% of the time (I've only encountered such a weird pam
setup once).

The one case this doesn't cover is different passwords for the same user
on different hosts (ansible_user_password?).

If that sounds good I should be able to tackle this over the weekend.


Reply to this email directly or view it on GitHubhttps://github.com//issues/1227#issuecomment-10014816.

@mpdehaan

This comment has been minimized.

Copy link
Contributor

@mpdehaan mpdehaan commented Nov 22, 2012

Haven't seen much demand for this, I think most people are sudoing from only one user account or using keys most of the time.

I am closing this as I see it is unlikely that we will work on this, but patches would be considered

@mpdehaan mpdehaan closed this Nov 22, 2012
@supervacuo

This comment has been minimized.

Copy link

@supervacuo supervacuo commented Dec 7, 2013

I think most people are sudoing from only one user account or using keys most of the time.

Could you explain how either situation would work with different passwords?

Even with key-based authentication, and with the same username on several, it still seems good security practice to have different passwords per-host.

Are existing ansible users really all using NOPASSWD or resuing passwords? Or is there a fourth option (beyond the solution described in this issue) I'm missing?

@lambdafu

This comment has been minimized.

Copy link

@lambdafu lambdafu commented Dec 18, 2013

I am surprised this has not been addressed properly. Is opsec really that horrible among ansible users?

@dirkcuys

This comment has been minimized.

Copy link
Contributor

@dirkcuys dirkcuys commented Dec 18, 2013

Don't want to complain, but want to add my voice to the interested parties - I also have different sudo passwords for different users on different hosts.

My guess is that most people probably just use NOPASSWD, that is what AWS and other cloud hosting services gives you by default!

@bcoca

This comment has been minimized.

Copy link
Member

@bcoca bcoca commented Dec 18, 2013

I use sudo passwords, but normally the same user per ansible invocation.

@supervacuo

This comment has been minimized.

Copy link

@supervacuo supervacuo commented Dec 18, 2013

@bcoca and the same password? That's what's being discussed here.

@jctanner

This comment has been minimized.

Copy link
Member

@jctanner jctanner commented Dec 18, 2013

A closed ticket is the wrong place to have this sort of discussion. Please use the ansible-project or ansible-devel mailing list.

@supervacuo

This comment has been minimized.

Copy link

@supervacuo supervacuo commented Dec 28, 2013

@jctanner thank you for the suggestion. I have raised this question on the "Ansible Project" mailing list — I'd appreciate any advice or further thoughts.

@gamelodge

This comment has been minimized.

@dupuy

This comment has been minimized.

Copy link

@dupuy dupuy commented May 26, 2014

Note that there are now other solutions to this problem on that serverfault page - you can store different sudo passwords for each host using host_vars/ files or lookup('password', …) and keep them encrypted with the Ansible vault, so there is really not so much reason to prompt for multiple sudo passwords (would you really want to type those every time?).

@ansible ansible locked and limited conversation to collaborators Apr 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
9 participants
You can’t perform that action at this time.