Securing the primary Ansible user

ssh configuration ansible configuration-management

It seems that there are only two reasonable approaches for the primary Ansible user:

  • Using root
  • Using another user (e.g., ansible) with NOPASSWD sudo access

The first option is a no-go since I cringe at the thought of keeping PermitRootLogin on. So, by default, the 2nd option seems to be the way to go.

I was thinking, at the very least, in /etc/ssh/sshd_config:

Match User ansible
    PasswordAuthentication No

And limiting key usage to the Ansible host by using the from option in authorized_keys:

from="192.168.100/24"

Any other ideas or issues/concerns with my thoughts so far?


Solution 1:

Those are the measures that I use for clients that have to be managed remotely by ssh (in my case using BackupPC instead of Ansible, but it works the same way).

If you're only using ssh to manage the clients, not for shell access, then it will improve security to add

AllowUsers ansible
PasswordAuthentication no

Related

PHP FPM keeps hanging
GroupOfNames without members
Publicly routable IPv6 linux container
Child Domain Logons to Cross Forest Trust Domains
HBASE Space Used Started Climbing Rapidly
configuring command prompt in Asterisk CLI
How to the set the hostname in an AWS ec2 instance to a unique value in an autoscale group?
Multi-datacenter Ansible load balancer template
nginx: No client certificate CA names sent
Monit use alert along with exec
start on vagrant-mounted (upstart) equivalent in systemd
Page load long stall times. What is this? [closed]