[Vmdebootstrap-devel] Bug#784125: Getting key-based root access for ansible
Emanuele Aina
emanuele.aina at collabora.com
Sat Mar 4 15:57:40 UTC 2017
Sorry for chiming in with an unsolicited opinion, but I just stumbled
on Jan's patch as I was searching exactly for that kind of
functionality. :)
I'm currently using `vmdebootstrap` (it is awesome, thanks!) to set up
an ephemeral VM used as the test environment for the ansible playbook
of a production server.
I totally understand the need to keep the number of options down, but I
still think that Jan's patch makes the right thing easier to do (that
is, rely on key auth for privileged access), in particular in light of
the fact that `sshd_config` defaults to `PermitRootLogin without-
password` (which has now been renamed to `prohibit-password` and
basically prevents password-based SSH access).
This means that at the moment there doesn't seem to be any good option
to get automated root access without using a custom script:
* `--root-password` is useless due to the ssh config default
* no straightforward way to to install a ssh key for root
* using an unprivileged user and `sudo` works, but makes key-based
auth useless as `sudo` would still ask for the password
The only solution currently available is thus using a customization
script, but Jan's option would make this *much* easier, and I think
reducing friction on the most secure path would be worth the pain of
having an additional option. :)
(Honestly I think such an option would be in fact be *more* useful than
the current root/user-related options, once you have a secure key-based
root connection you can easily set up the root password, other
accounts, etc., manually or using chef/ansible/whatever, but of course
those options cannot be dropped for compatibility reasons)
More information about the Vmdebootstrap-devel
mailing list