Handling of user passwords by the playbooks

REve-Workshop / xyz.revecloud.re.ansible.reve-setup

Set of ansible playbooks to manage hosts in my infrastructure

GNU Affero General Public License v3.0

0 stars 0 forks source link

Handling of user passwords by the playbooks #2

Open montaropdf opened 4 years ago

montaropdf commented 4 years ago

When creating a user on a linux host, it is possible to define the password.

The password must be kept outside of the user's definition files and playbook.

I forsee the following methods to keep the password secret:

Using an ansible vault file
Using the lookup plugin to the passwordstore.org pass utility
Using the lookup plugin to HachiCorp Vault password manager

There is, maybe, other lookup plugins for this kind of tasks.

Links
- HashiCorp
- passwordstore.org Pass utility

montaropdf commented 4 years ago

The use of the lookup plugins can be done in the user's configuration files.

montaropdf commented 4 years ago

The passwordstore lookup plugin require a TTY. Connecting to an LXC container with lxc-attach will make the playbook fail because pinentry cannot run in this mode it seems.

This as been tested with a container managed by a proxmox node.