In the Fundraising Team of Wikimedia Germany we maintain our own infrastructure, using the principle of Infrastructure as Code: We write every configuration change, every installed package, every other server setup tweak as a text file that we check into our version control system and do a peer-review on. This way, we can replicate our setups, share knowledge and track changes and their context. While setting up a Graylog instance we discovered that its configuration file does not contain all the information.
By default, many Vagrant boxes install a SSH key for the default user of a virtual machine image. This is fully transparent and you can log in to the machine with the vagrant ssh command. But what if you want to log in with the standard ssh command, connect with rsync or run an Ansible playbook? This article shows how to find and reuse the connection parameters for your Vagrant box.
Encrypting credentials like SSH keys or database passwords and putting the encrypted file in a semi-public Git repository is both convenient and scary. Convenient because every user of the repository only has to know only one password. Scary because you now rely on encryption and passwords instead of other security practices. So the question arose in my team “Assuming there are no implementation errors, how secure are Ansible Vaults?” Since the first 10 Google results did not answer this question quick enough, I decided to read the source code and answer the question myself.
This article will teach you how create user accounts with the configuration management software Ansible. You will learn how to create users with passwords, SSH-only users and users with temporary passwords that must be changed. Some background on passwords on Linux The file /etc/passwd hints at passwords, but stores only an “x” or other character where the password has been stored historically. The real passwords are stored in the file /etc/shadow, in a hashed format.