I am using Ansible 2.2 to manage some cloud servers from my laptop. I want to transfer the OpenSSL private key to a specific location on one of the servers that nginx will use to complete TLS. Naturally, this is a file that should be kept secret, so I encrypted it using Ansible Vault . But Vault only protects the disk file on the Control Machine. It does not come into play when transferring data from a host machine to a managed Node.
I want to make sure that the secret key is not at risk in the way when someone monitors network traffic. There is not much mention of what I'm looking for, what I can see in the docs for the copy module . As far as I know, all of my messages with managed nodes run through SSH. Is this a safe guess? Does file transfer include?
copy
The answer depends on the type of connection.
There is an Ansible copy plugin that disconnects from the connection. The source code for the plugin is here:
https://github.com/ansible/ansible/blob/bc66faa328b1413646ec249cd2753de5e09f1a35/lib/ansible/plugins/action/copy.py
This will cancel the copies on ActionBase._transfer_file , which will then cancel Connection.put_file .
ActionBase._transfer_file
Connection.put_file
There are many different implementations of connections, some of which are safe and some not. If you use an SSH connection, then it uses scp or sftp for the actual copy and is safe.
This can be seen in the ssh source here:
https://github.com/ansible/ansible/blob/442af3744ebd60c7ffcaae22b61fb762ccc7c425/lib/ansible/plugins/connection/ssh.py#L954
Which put_file delegates are _file_transport_command , which can then use scp, sftp, smart or pipe. Smart determines which of the other three is best used.
put_file
_file_transport_command
Note. There is an Ansible copy module that only copies files locally and does not need a secure copy. About what my previous answer mistakenly indicated, and therefore I deleted it.
You are right, all messages with managed node are safely executed through ssh. Your storage is decrypted on the controller, the plaintext private key is sent through a secure ssh connection and deleted by your node target.
The plaintext private key may become insecure in your target node, depending on who can log in, the owners, group memberships, access rights, etc. It is up to you to configure them safely.
Source: https://habr.com/ru/post/1271959/More articles:GKE clusterrolebinding for admin cluster does not work with permission error - permissionsHow can I add a header on marine lmplot? - pythonCreating an IPA file of my Xamarin application without iOS device - iosPrevent inactive 0-ary functions in Scala - scalaThe REST version of this request is not supported by this version of the storage emulator - c #Spark / Neo4j error: RuntimeException: java.util.Collections $ UnmodifiableRandomAccessList is not a valid external type for string schema - scalaHow to remove a module in Java 9? - javaSource Neo4j connector loadDataFrame gives error - scalaUtf-8, sprintf, strlen etc. - c ++How to change project character set in JetBrains Clion - c ++All Articles