Sudo without password
Ansible needs root on the slave. One way is to allow 'sudo' without password.
Summary for gurus (the rest of us can read the article):
$ cat /etc/sudoers.d/sudoless
%sudoless ALL = (ALL) NOPASSWD: ALL
Draft: This article has commands written from memory. It has not gone trough quality assuarance and testing yet.
This short tutorial assumes you know the basics of Linux command line and have installed openssh-server.
Create the new user
Let's create a user and add it to "sudoless" group that we'll set up later. We'll call him antero, a neologism from "Ansible" and "Tero", yours truly.
Always use only good passwords. Never use bad passwords, even for a moment. Practice doing it right, don't practice doing it wrong.
$ sudo adduser antero
$ sudo groupadd sudoless
$ sudo adduser antero sudoless
Broken sudo insurance
Open a new window, ssh to target machine as needed. Then open a root shell using sudo.
If we break sudo, this might be a way to fix it. Otherwise, broken sudo prevents us from using sudo to fix the broken files.
$ sudo -i # just while fiddling with sudoers
We don't wont to work in the root shell (where the prompt is a hash "#").
So leave the root shell window behind and go back to the normal window.
New sudoers rule
Let's create a sudoers rule that allows members of "sudoless" group use 'sudo' without password.
Visudo runs our default $EDITOR. But has some checks for obvious errors.
As usual, we'll use .d/ dirs if available. And luckily, sudoers has /etc/sudoers.d/.
$ sudo visudo /etc/sudoers.d/sudoless
Add our oneliner there
%sudoless ALL = (ALL) NOPASSWD: ALL
What does the sudoers line mean?
| Token | Meaning |
|---|---|
| %sudoless | Percent "%" means group |
| ALL | All computers |
| = | Literal equals "=", a separator |
| (ALL) | Runas: may become any user, including root |
| NOPASSWD | Tag: don't prompt for password |
| : | Literal colon ":", a separator |
| ALL | All commands permitted |
So it's something like:
%group COMPUTERS: (RUNAS) TAG: COMMANDS.
Test
not tested == not done
New groups are effective only after logout-login. So if you're logged in as "antero", log out and back.
If you have recently given 'sudo' commands as "antero", sudo will remember your credentials for a while. Use 'sudo -k' to forget them.
$ ssh antero@localhost
$ sudo -k
$ sudo echo "See you at TeroKarvinen.com"
See you at TeroKarvinen.com
No password asked? Great! You now have passwordless sudo. You could use it with Ansible.
Adminstrivia
Sudo logo my Mark Stillman 2019, received under CC-BY-4.0.