Research on Secure Methods for Passing SSH Username and Password in Ansible

Overview of Ansible SSH Authentication Mechanism

Ansible, as a modern automation operations tool, provides multiple flexible ways to handle username and password for SSH connections. Compared to traditional SSH key authentication, password authentication offers unique advantages in certain scenarios, particularly for temporary tasks and dynamic environments.

Command-Line Parameter Authentication

Ansible provides the -k or --ask-pass command-line parameters for interactive password input. This method is suitable for temporary, one-time execution tasks where users are prompted to enter the SSH connection password during command execution.

ansible all -i inventory.ini -m ping -k

After executing the above command, the system will prompt the user to enter the SSH password. While this method is straightforward, it requires manual intervention and is not suitable for automated script scenarios.

Inventory Variable Configuration Method

Ansible supports directly defining the ansible_password variable in inventory files, which is the most commonly used method for automated authentication. Password variables can be set at either the host level or group level.

[webservers]
web1.example.com ansible_user=admin ansible_password=securepass123
web2.example.com ansible_user=admin ansible_password=securepass456

[databases]
db1.example.com ansible_user=dbadmin ansible_password=dbpass789

This approach tightly integrates authentication information with host configuration, making it easy to manage and maintain. However, attention must be paid to the security of password storage, and it is recommended to use Ansible Vault for encryption.

Extra Variables Parameter Passing

The --extra-vars parameter allows direct passing of username and password variables on the command line, making it particularly suitable for temporary, specific requirements.

ansible all --inventory=10.0.1.2, -m ping \
  --extra-vars "ansible_user=root ansible_password=yourpassword"

For Linux hosts in Windows domain environments, escape characters can be used to handle domain user formats:

ansible --module-name ping \
  --extra-vars 'ansible_user=domain\user ansible_password=PASSWORD' \ 
  --inventory 10.10.6.184, all

Configuration File Default Settings

Through the ansible.cfg configuration file, default inventory file paths and other connection parameters can be set. Referencing Vagrant project practices, configuration files can be created in the project directory:

[defaults]
inventory = ./.vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory

After configuration, the following command can be used to verify that the inventory file is correctly loaded:

ansible all --list-hosts

Security Best Practices

Although Ansible provides multiple methods for passing passwords, security considerations must be addressed in production environments:

• Prioritize SSH key authentication to avoid password transmission over the network
• If passwords must be used, combine them with Ansible Vault for encrypted storage
• Avoid using plaintext passwords directly on the command line
• Regularly rotate passwords and implement the principle of least privilege
• Use temporary tokens or session keys instead of long-term valid passwords

Integrated Application Scenario Analysis

When integrating Ansible into Python software, appropriate authentication methods can be selected based on specific requirements:

• For highly automated scenarios, recommend using inventory variables combined with Ansible Vault
• For interactive tools, the -k parameter can provide a user-friendly password input experience
• For temporary debugging tasks, --extra-vars offers maximum flexibility

By reasonably combining these methods, an optimal balance between security and convenience can be achieved to meet the needs of different application scenarios.