Closed OpenNebulaSupport closed 3 weeks ago
Hello.
We don't really consider connecting to ssh endpoints using passwords as something that we want to support, there is really no good reason to do so, moreover we don't want to encourage using bad security practices among OpenNebula users (I believe it's unethical for an open source project). Ubuntu creators for example seem to thinking just the same, since /etc/ssh/sshd_config.d/60-cloudimg-settings.conf
started to disable password auth for the whole sshd process always (which makes users to do extra explicit effort to re-enable password auth).
But anyways, to make one-deploy work with passwords, users need to:
PasswordAuthentication yes
in sshd (inside the target cluster).sshpass
on the ansible controller.sshpass
on all FE machines, that's because of constructions of this type https://github.com/OpenNebula/one-deploy/blob/c831098f4d8bbb03698ea080692962090ba1f0bd/roles/opennebula/server/tasks/sync_ha.yml#L137-L138 , where synchronize
module runs rsync+ssh
combo and this is direct communication not involving the ansible controller.
one-deploy has been development based on passwordless ssh connections. This means every task executed that requires some sort of ssh connection has been tested and assumes a connection where ssh keys have been whitelisted.
Due to company policies, it might be required an ssh connection with a password. This can have some unexpected consequences during the execution of certain tasks, for example, syncing HA information
Connection Requirements
Ideally one-deploy could support this, but as it isn't a tested scenario we don't know the implications of setting
ansible_ssh_pass
and/oransible_sudo_pass
on the inventory file. This also means there is no documentation showcasing password ssh connections.