I appreciate your taking the time to teach good security practices. In this instance, Least Privilege is a crucial security best practice that really needs to become second nature for folks.
I've watched a lot of videos on the topic and used Ansible for various scenarios, but it's always good to get a new point of view. Yours is always a good one.
Hi Jim, great start to the series! As a suggestion for a future route - I've taken this one step further at work and ditched winrm as a connection method, and changed all our Windows hosts to be ssh connected using powershell as the default shell... It's a great way of leveraging the power of Ansible in the Windows world without the complexity and flakeyness of winrm! Gives us Ansible configuration control over our Windows fleet, with the benefit that you can elevate the user account used but also set it to not be allowed to log on locally or remotely! SSH doesn't count as either, so an added layer of security. You can also lock or disable the password at the Windows level and only allow a certificate login at the openSSH level... It's magic!
14:30: You can also utilize the ssh-agent (ssh-add /path/to/private.key) (or PuTTY's Pageant agent, maybe?). This will allow Ansible to use the key without asking for a passphrase every time but still keeps your key safe!
@@IgnoreMyChan true, but it you have access to the user it's kind of a moot point. You are right though from a good practice standpoint, I'll cover these topics in future videos.
The use of nano inside the VS code terminal made me sad... :) You should be able to edit that file and when you try to save it, VS code will give you an error that you might need elevated privileges and give you a chance to put in sudo creds. Haven't tried it over remote SSH session though, so it might not work here. I'm definitely going to have to go try it out later and confirm.
Great video as always Jim, thank you! Do you know of any way to pre-configure the sshd-config to accept key-authentication by default? Since your cloud-init video it's now possible to easily create a new VM by cloning it but you still have to manually login to the new VM to enable key-authentication for ansible which is well annoying.. :) Keep rocking!
I'm not sure the custom ssh key part at the end was correct. When you ran your ansible ping command, you didn't have the ssh agent and didn't specify the key, so it makes sense that it failed. Then you ran the ansible command specifying the key AND asking for the password. If the key wasn't going to get you in (which I'm not convinced would have been the case), why specify it at all? Just use --ask-pass if you needed the password. Ubuntu OpenSSH is configured by default to allow allow ssh pubkey auth. That commented out line with the yes value was the default. It's just showing you the options in case you want to change them. If I'm missing something, feel free to correct, but this does not look right to me.
I suspect it's because I had become=true in the inventory file (which isn't required for ping). I think I could remove that and just specify the key file and it would work, but I had already introduced the become=true in the previous video.
Thanks you. For this curse you have started. My question is, I am planning on implementing Ansible on proxmox cluster. I have created one VM and one CT on this I will be practicing, I follow your instructions I had no problem copying the ssh key to the VM, but to the CT I could only copy it and modify the sshd_config permitrootlogin to yes. the key is on the root folder in the CT. for some reason in the CT is looking for the same folder that was created for the VM when I send the ping. Thank you
Hi Jim, I installed ansible (core 2.16.6) like you showed in the previous video on Ubuntu 22.04.4 LTS. But i don't seem to have a ansible folder in /etc. Any idea what the reason would be? Or do i need to create that myself?
I appreciate your taking the time to teach good security practices. In this instance, Least Privilege is a crucial security best practice that really needs to become second nature for folks.
I've watched a lot of videos on the topic and used Ansible for various scenarios, but it's always good to get a new point of view. Yours is always a good one.
Thanks, glad to hear that I have a fresh perspective. Appreciate you leaving a comment.
Hi Jim, great start to the series! As a suggestion for a future route - I've taken this one step further at work and ditched winrm as a connection method, and changed all our Windows hosts to be ssh connected using powershell as the default shell... It's a great way of leveraging the power of Ansible in the Windows world without the complexity and flakeyness of winrm!
Gives us Ansible configuration control over our Windows fleet, with the benefit that you can elevate the user account used but also set it to not be allowed to log on locally or remotely! SSH doesn't count as either, so an added layer of security. You can also lock or disable the password at the Windows level and only allow a certificate login at the openSSH level...
It's magic!
big up jim the king of the lab
Haha thanks 👑
Thanks Jim! You keep helping me push my homelab to a better place 😊😉
Glad to hear it, appreciate the feedback. Now hit that sub, I dare you 😜
Great ssh overview!
Appreciate the feedback
Thanks Jim!
You're welcome
You're welcome
14:30: You can also utilize the ssh-agent (ssh-add /path/to/private.key) (or PuTTY's Pageant agent, maybe?). This will allow Ansible to use the key without asking for a passphrase every time but still keeps your key safe!
Yes, you can also add to the hosts file as mentioned.
@@Jims-GarageBut then it's stored in plain text. 🙂 Maybe you can utilize Ansible Vault for that, though? Never tested it for that purpose.
@@IgnoreMyChan true, but it you have access to the user it's kind of a moot point. You are right though from a good practice standpoint, I'll cover these topics in future videos.
@@Jims-GarageNo worries, I understand the point of keeping it simple.
This is awesome. Thanks!
Glad it was helpful
excellent content
Much appreciated
The use of nano inside the VS code terminal made me sad... :)
You should be able to edit that file and when you try to save it, VS code will give you an error that you might need elevated privileges and give you a chance to put in sudo creds. Haven't tried it over remote SSH session though, so it might not work here. I'm definitely going to have to go try it out later and confirm.
Great video as always Jim, thank you! Do you know of any way to pre-configure the sshd-config to accept key-authentication by default? Since your cloud-init video it's now possible to easily create a new VM by cloning it but you still have to manually login to the new VM to enable key-authentication for ansible which is well annoying.. :)
Keep rocking!
I'm not sure the custom ssh key part at the end was correct.
When you ran your ansible ping command, you didn't have the ssh agent and didn't specify the key, so it makes sense that it failed. Then you ran the ansible command specifying the key AND asking for the password. If the key wasn't going to get you in (which I'm not convinced would have been the case), why specify it at all? Just use --ask-pass if you needed the password.
Ubuntu OpenSSH is configured by default to allow allow ssh pubkey auth. That commented out line with the yes value was the default. It's just showing you the options in case you want to change them.
If I'm missing something, feel free to correct, but this does not look right to me.
I suspect it's because I had become=true in the inventory file (which isn't required for ping). I think I could remove that and just specify the key file and it would work, but I had already introduced the become=true in the previous video.
Thanks you. For this curse you have started. My question is, I am planning on implementing Ansible on proxmox cluster. I have created one VM and one CT on this I will be practicing, I follow your instructions I had no problem copying the ssh key to the VM, but to the CT I could only copy it and modify the sshd_config permitrootlogin to yes. the key is on the root folder in the CT. for some reason in the CT is looking for the same folder that was created for the VM when I send the ping. Thank you
Hi Jim, I installed ansible (core 2.16.6) like you showed in the previous video on Ubuntu 22.04.4 LTS. But i don't seem to have a ansible folder in /etc. Any idea what the reason would be? Or do i need to create that myself?
Interesting, did you use the same OS and user as I did?
@@Jims-Garage no not yet. Tis was going to be next toubleshooting step. But I'll have to go back a few video's😊
It's a shame your git repo isn't available for cloning, saves copying and pasting haha. But suppose it for security reasons
😩 "promosm"