43

I want to use Ansible as part of another Python software. in that software I have a hosts list with their user / password.

Is there a way to pass the user / pass of the SSH connection to the Ansible ad-hoc command or write it in any file in encrypted way?

Or do i understand it all wrong, and the only way to do it is with SSH certification?

slm
  • 14,096
  • 12
  • 98
  • 116
Nuvi
  • 477
  • 1
  • 4
  • 8
  • 2
    You don't want to store passwords on a computer. That's terrible security practice. :-) Instead, use SSH keys for authentication. The [SSH documentation](http://www.openssh.com/manual.html) includes everything you need, in particular [ssh-keygen](http://man.openbsd.org/ssh-keygen). Create your key, then add the public part (i.e. `~/.ssh/id_ed25519.pub`) to the `~/.ssh/authorized_keys` file on each target host. – ghoti May 03 '16 at 13:11
  • 2
    You can use vault to store data encrypted (AES-256) but I'm not sure you can pass the password if not by typing it (see my answer) –  May 03 '16 at 13:37
  • user5507598, yes its possible, you need to use vault key-file and call ansible-playbook as command with -k for expect module and for responses: (?i)SSH password: "{{ password }}" . The variable containing encrypted password will be de-crypted with vault. Though this will keep the lock and key both at the server. not the best way. – v_sukt Jun 01 '18 at 10:10

4 Answers4

48

When speaking with remote machines, Ansible by default assumes you are using SSH keys. SSH keys are encouraged but password authentication can also be used where needed by supplying the option --ask-pass. If using sudo features and when sudo requires a password, also supply --ask-become-pass (previously --ask-sudo-pass which has been deprecated).

Never used the feature but the docs say you can.

erncyp
  • 1,439
  • 19
  • 21
  • Probably you will need to give a read at [this](http://docs.ansible.com/ansible/playbooks_intro.html#hosts-and-users) too. –  May 03 '16 at 13:02
  • 1
    this works as advertised. you can also store them in an inventory file – MillerGeek May 03 '16 at 17:59
  • 1
    Actually the inventory is a better option yet not so safe so probably you could add those parameters in a script instead (where they can be decrypted). [here](http://docs.ansible.com/ansible/intro_inventory.html#non-ssh-connection-types) is how to save the user/pass in the inventory: `ansible_user`, `ansible_ssh_pass` –  May 03 '16 at 18:11
  • 1
    storing the values in inventory is a really bad idea for security unless you encrypt it with vault. – MillerGeek May 03 '16 at 18:20
  • Agreed. And still is a bad idea for practicality, the inventory is often the part that changes the most. –  May 03 '16 at 18:41
  • Thanks for your answer! currently i have in my software an encrypted file with the user and passwords. As far as i understand, --ask-pass will prompt wait for a password, and even if scripted, it might be easy to track and would be security vulnerable. Regarding inventory i think i missed the point. how can i use the inventory file with encrypted password? when shall i decrypt them? – Nuvi May 04 '16 at 08:33
  • Following @smiller171's approach all you need is to encrypt the inventory using [vault](http://docs.ansible.com/ansible/playbooks_vault.html). Afterwards, you can run your playbook with the `--ask-vault-pass` option for Ansible to prompt for your passphrase (so it can decrypt files) before running all the tasks. –  May 04 '16 at 11:06
  • @user5507598 so the ssh password is automatically input with the need for interactive typing if we use vault? – lucid_dreamer Jun 10 '19 at 03:51
  • Storing the defaulte SONiC password in my inventory for the inventory that provisions my ssh keys on a switch doesn't decrease security and is less annoying than having to encrypt it. There are cases (provisioning something better after install) where inventory is the right answer. – Sam Hartman Jan 05 '22 at 19:56
36

you can use --extra-vars like this:

$ ansible all --inventory=10.0.1.2, -m ping \
    --extra-vars "ansible_user=root ansible_password=yourpassword"

If you're authenticating to a Linux host that's joined to a Microsoft Active Directory domain, this command line works.

ansible --module-name ping --extra-vars 'ansible_user=domain\user ansible_password=PASSWORD' --inventory 10.10.6.184, all
liuhao
  • 511
  • 4
  • 3
  • 4
    ... and then your credentials go to bash history :/ Is there a better way? – user1053510 Sep 19 '19 at 13:51
  • 1
    @user1053510 You can temporarily disable bash history with an environment variable. https://stackoverflow.com/questions/6475524/how-do-i-prevent-commands-from-showing-up-in-bash-history – Brett Holman Sep 30 '19 at 16:34
  • This solution worked for me, authenticating as an Active Directory user from a Linux client to a domain-joined Linux client. –  Jan 20 '20 at 04:21
  • 2
    @user1054510 The creds do not go in bash history if you press space first before issuing them. – David West Jan 31 '20 at 14:37
  • Note to self: read the variable names carefully, `ansible_ssh_user` and `ansible_ssh_password` have no effect on the ssh password failures. Make sure you're using `ansible_user` and `ansible_password`. – activedecay Jun 08 '20 at 20:56
5

As mentioned before you can use --extra-vars (-e) , but instead of specifying the pwd on the commandline so it doesn't end up in the history files you can save it to an environment variable. This way it also goes away when you close the session.

read -s PASS
ansible windows -i hosts -m win_ping -e "ansible_password=$PASS"
Francois Swanepoel
  • 76
  • 1
  • 2
4

I used the command

ansible -i inventory example -m ping -u <your_user_name> --ask-pass

And it will ask for your password.

For anyone who gets the error:

to use the 'ssh' connection type with passwords, you must install the sshpass program

On MacOS, you can follow below instructions to install sshpass:

  1. Download the Source Code
  2. Extract it and cd into the directory
  3. ./configure
  4. sudo make install
dungvo
  • 119
  • 2
  • 6