Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vault_users for easier password management #614

Merged
merged 2 commits into from
Aug 3, 2016
Merged

Add vault_users for easier password management #614

merged 2 commits into from
Aug 3, 2016

Conversation

fullyint
Copy link
Contributor

@fullyint fullyint commented Jul 9, 2016
edited
Loading

Automates password hashing so people don't have to create their own hash for sudoer_passwords.

Automates become pass submission so people don't have to use --ask-become-pass.
When --ask-become-pass is used, its password will take precedence.

Disables root login by default, but only after confirmation that the admin_user can connect.
Edit: we can dedicate a separate PR to disabling root login.

roots/docs#43

@fullyint fullyint force-pushed the vault-users branch 3 times, most recently from 4be9538 to 166b1dd Compare July 9, 2016 22:40
@fullyint fullyint mentioned this pull request Jul 9, 2016
Merged
@swalkinshaw
Copy link
Member

Any ideas about encouraging the use of Ansible Vault? It becomes more important with this change.

At a minimum we should probably emphasize it more in the docs.

@fullyint fullyint mentioned this pull request Jul 16, 2016
Merged
@fullyint
Copy link
Contributor Author

Any ideas about encouraging the use of Ansible Vault?

I have a "tips" role largely worked out, following the pattern of #562's proposed "validations" role. Tips print to the end of playbook stdout. One is conditional on a custom unencrypted_vault_files bool created using is_encrypted from VaultLib:

Tip: Some vault files are not encrypted. Set up Ansible Vault following the guide at ... [etc]

Users can disable tips and/or validations with a simple toggle in group_vars or --extra-vars.

Not wanting to overload, I was waiting to finalize/submit the "tips" PR till after the "validations" PR had been considered.

There could certainly be other ideas for encouraging Vault usage.

@fullyint
Copy link
Contributor Author

@swalkinshaw pointed out that the playbook fails if vault_users is not defined. It does not need to be defined when sshd_permit_root_login: true (current default).

I added a few instances of vault_users | default([]) to prevent unnecessary failure.

@fullyint fullyint force-pushed the vault-users branch 2 times, most recently from 6b736d3 to f1a77a8 Compare July 23, 2016 09:26
@swalkinshaw
Copy link
Member

Trying this out and I get this:

|password_hash requires the passlib python module to generate password hashes
on Mac OS X/Darwin

@swalkinshaw
Copy link
Member

After a pip install password_hash everything worked great 👍

@fullyint fullyint force-pushed the vault-users branch 2 times, most recently from ead460d to 0b49215 Compare July 24, 2016 23:20
@fullyint
Copy link
Contributor Author

Thanks for testing! I squashed in a test and message at the top of vars.py suggesting:

Ansible on OS X requires the python passlib module to create user password hashes.
sudo easy_install pip
pip install passlib

@swalkinshaw
Copy link
Member

💯

@swalkinshaw swalkinshaw merged commit db0c068 into roots:master Aug 3, 2016
This was referenced Aug 3, 2016
Merged
Closed
@fullyint fullyint mentioned this pull request Aug 28, 2016
Merged
@fullyint fullyint deleted the vault-users branch December 15, 2016 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fullyint @swalkinshaw