58

I want to use Ansible as part of another Python software. in that software I have a hosts list with their user / password.

Is there a way to pass the user / pass of the SSH connection to the Ansible ad-hoc command or write it in any file in encrypted way?

Or do i understand it all wrong, and the only way to do it is with SSH certification?

slm
  • 15,396
  • 12
  • 109
  • 124
Nuvi
  • 627
  • 1
  • 5
  • 8
  • 2
    You don't want to store passwords on a computer. That's terrible security practice. :-) Instead, use SSH keys for authentication. The [SSH documentation](http://www.openssh.com/manual.html) includes everything you need, in particular [ssh-keygen](http://man.openbsd.org/ssh-keygen). Create your key, then add the public part (i.e. `~/.ssh/id_ed25519.pub`) to the `~/.ssh/authorized_keys` file on each target host. – ghoti May 03 '16 at 13:11
  • 2
    You can use vault to store data encrypted (AES-256) but I'm not sure you can pass the password if not by typing it (see my answer) –  May 03 '16 at 13:37
  • user5507598, yes its possible, you need to use vault key-file and call ansible-playbook as command with -k for expect module and for responses: (?i)SSH password: "{{ password }}" . The variable containing encrypted password will be de-crypted with vault. Though this will keep the lock and key both at the server. not the best way. – v_sukt Jun 01 '18 at 10:10

4 Answers4

60

The docs say you can specify the password via the command line:

-k, --ask-pass.
ask for connection password

Ansible can also store the password in the ansible_password variable on a per-host basis.

slhck
  • 36,575
  • 28
  • 148
  • 201
  • Probably you will need to give a read at [this](http://docs.ansible.com/ansible/playbooks_intro.html#hosts-and-users) too. –  May 03 '16 at 13:02
  • 1
    this works as advertised. you can also store them in an inventory file – MillerGeek May 03 '16 at 17:59
  • 2
    Actually the inventory is a better option yet not so safe so probably you could add those parameters in a script instead (where they can be decrypted). [here](http://docs.ansible.com/ansible/intro_inventory.html#non-ssh-connection-types) is how to save the user/pass in the inventory: `ansible_user`, `ansible_ssh_pass` –  May 03 '16 at 18:11
  • 1
    storing the values in inventory is a really bad idea for security unless you encrypt it with vault. – MillerGeek May 03 '16 at 18:20
  • Agreed. And still is a bad idea for practicality, the inventory is often the part that changes the most. –  May 03 '16 at 18:41
  • Thanks for your answer! currently i have in my software an encrypted file with the user and passwords. As far as i understand, --ask-pass will prompt wait for a password, and even if scripted, it might be easy to track and would be security vulnerable. Regarding inventory i think i missed the point. how can i use the inventory file with encrypted password? when shall i decrypt them? – Nuvi May 04 '16 at 08:33
  • Following @smiller171's approach all you need is to encrypt the inventory using [vault](http://docs.ansible.com/ansible/playbooks_vault.html). Afterwards, you can run your playbook with the `--ask-vault-pass` option for Ansible to prompt for your passphrase (so it can decrypt files) before running all the tasks. –  May 04 '16 at 11:06
  • @user5507598 so the ssh password is automatically input with the need for interactive typing if we use vault? – lucid_dreamer Jun 10 '19 at 03:51
  • Storing the defaulte SONiC password in my inventory for the inventory that provisions my ssh keys on a switch doesn't decrease security and is less annoying than having to encrypt it. There are cases (provisioning something better after install) where inventory is the right answer. – Sam Hartman Jan 05 '22 at 19:56
48

You can use --extra-vars like this:

ansible all --inventory=10.0.1.2, -m ping \
  --extra-vars "ansible_user=root ansible_password=yourpassword"

If you're authenticating to a Linux host that's joined to a Microsoft Active Directory domain, this command line works.

ansible --module-name ping \
  --extra-vars 'ansible_user=domain\user ansible_password=PASSWORD' \ 
  --inventory 10.10.6.184, all
β.εηοιτ.βε
  • 33,893
  • 13
  • 69
  • 83
liuhao
  • 631
  • 5
  • 3
  • 6
    ... and then your credentials go to bash history :/ Is there a better way? – user1053510 Sep 19 '19 at 13:51
  • 1
    @user1053510 You can temporarily disable bash history with an environment variable. https://stackoverflow.com/questions/6475524/how-do-i-prevent-commands-from-showing-up-in-bash-history – Brett Holman Sep 30 '19 at 16:34
  • This solution worked for me, authenticating as an Active Directory user from a Linux client to a domain-joined Linux client. –  Jan 20 '20 at 04:21
  • 2
    @user1054510 The creds do not go in bash history if you press space first before issuing them. – David West Jan 31 '20 at 14:37
  • Note to self: read the variable names carefully, `ansible_ssh_user` and `ansible_ssh_password` have no effect on the ssh password failures. Make sure you're using `ansible_user` and `ansible_password`. – activedecay Jun 08 '20 at 20:56
  • 1
    @DavidWest Can you explain what you mean by "issuing them"? They are not being prompted and then entered via CLI, they appear as plain text as part of the `ansible` call in `--extra-vars` params, thus landing in the bash history. – Koenigsberg Jun 21 '22 at 10:03
  • 1
    @Koenigsberg, good points. Just adding a space before some command somewhere is vague and not any solution here. I am now considering Francois Swanepoel's answer... seems nice if you want to use this in a script and pass vars in as well. Also... is this what Ansible Vaults are for? – David West Jul 01 '22 at 04:21
  • @DavidWest I am not sufficiently familiar with Ansible Vaults, you may be onto something there – Koenigsberg Jul 18 '22 at 12:52
  • In my case, the control place user is ansible and the worker node user is root. I installed the public key but it as not working since the users are different in two nodes. I passed the above command without the password and it worked fine. As follows $ ansible all --inventory=10.0.1.2, -m ping \ --extra-vars "ansible_user=root" – iftee Sep 22 '22 at 22:23
7

As mentioned before you can use --extra-vars (-e) , but instead of specifying the pwd on the commandline so it doesn't end up in the history files you can save it to an environment variable. This way it also goes away when you close the session.

read -s PASS
ansible windows -i hosts -m win_ping -e "ansible_password=$PASS"
Francois Swanepoel
  • 106
  • 1
  • 3
7

I used the command

ansible -i inventory example -m ping -u <your_user_name> --ask-pass

And it will ask for your password.

For anyone who gets the error:

to use the 'ssh' connection type with passwords, you must install the sshpass program

On MacOS, you can follow below instructions to install sshpass:

  1. Download the Source Code
  2. Extract it and cd into the directory
  3. ./configure
  4. sudo make install
dungvo
  • 289
  • 4
  • 7
  • 2
    Found this funny: on MacOS when I `brew search sshpass` I got "We won't add sshpass because it makes it too easy for novice SSH users to ruin SSH's security." so thanks for the instructions – johnnyB Jun 19 '22 at 18:05