I have several actions that need to be performed on a network of servers.
for these actions i have two options:
manually, this will take a lot of effort and potentially i will need to do it over and over again on different networks.
automatically, with scripts or ansible that do not allow password prompt when connecting with ssh.
some of these actions require root access. for example, the
useradd and groupadd commands need to be used.
also, i will need to change several files in etc and in var folder.
in terms of security, is it safe and acceptable to require passwordless root ssh access so that ansible or others will be able to do it?
if not, is it possible to add an official reference? preferably redhat site or other.
notice that using a sudoer user is not permitted.
I would say no, "passwordless root ssh access" is not secure. However, you can use key based authentication via ssh as root. In other words you can do what you want to do, just not exactly how you described it.
Adding users and groups is a very typical config mgmt task, and a perfect job for ansible. I would suggest creating an ansible playbook that uses the user and group modules rather than running the raw useradd and groupadd commands (See example below). However, this will require setting up the necessary ssh key based authentication.
Ansible can help with that task as well, but you'll have to authenticate with a password in order to setup the key based auth.
https://docs.ansible.com/ansible/latest/modules/user_module.html https://docs.ansible.com/ansible/latest/modules/group_module.html
- name: Add the user 'johnd' with a specific uid and a primary group of 'admin'
user:
name: johnd
comment: John Doe
uid: 1040
group: admin