Understanding ansible.cfg and OpenSSH Security Implications

Learn how to configure Ansible with ansible.cfg, understand the deprecation of SCP in OpenSSH with RHEL 9, and explore best practices for secure automation.

Understanding ansible.cfg and OpenSSH Security Implications

October 4, 2023
Posted by Luca Berton
Ansible Configuration, ansible.cfg, OpenSSH 9.0, SCP Option, Secure File Transfers, Ansible Custom Configuration

Introduction

Ansible is a powerful open-source automation tool used for configuration management, application deployment, and task automation. It simplifies the management of complex IT infrastructure by allowing you to define tasks and configurations as code. One crucial aspect of Ansible’s functionality is its configuration file, ansible.cfg. This file serves as a central point for configuring various settings and options for Ansible. In this article, we will explore the content of a sample ansible.cfg file and explain its key sections.

OpenSSH Security Implications

It’s important to note that the following sample ansible.cfg file mentioned a change in OpenSSH since Red Hat Enterprise Linux (RHEL) 9 onward regarding the deprecation of the SCP protocol. This change has significant security implications:

SCP Deprecation: In RHEL 9, the SCP protocol is deprecated. The SCP command line tool now uses the SFTP protocol for file transfers by default. This change is driven by the fact that the SCP protocol is outdated and carries multiple security risks and issues.
Use of -O Option: Usage of the SCP protocol can be restored temporarily using the newly added -O option with the SCP command. However, it’s important to be aware that this option may not be available in future major releases.
Disabling SCP: It’s possible to completely disable the SCP protocol on a system by creating the file /etc/ssh/disable_scp. Any attempt to use the SCP protocol on a system with this file will fail.
Security Risks: The SCP protocol is less secure than the SFTP protocol and poses certain security risks. For example, CVE-2020–15778 is cited as one of the security vulnerabilities associated with SCP. Migration and Alternatives: If the SCP protocol change affects your system, consider upgrading to a recent version of RHEL or explore alternatives like using SFTP or rsync for file transfers, which offer better security and compatibility.

Links

Join 50+ hours of courses in our exclusive community

Understanding ansible.cfg

The ansible.cfg file is a plain text configuration file that can be used to customize Ansible’s behavior. It provides a way to override default settings and adapt Ansible to specific use cases and environments. The file is typically located in the /etc/ansible/ directory on a Linux system. However, you can also create a custom ansible.cfg file in your project directory to apply configuration settings specifically to that project.

In this article, we’ll dissect a sample ansible.cfg file to understand its different sections and the options it contains.

Sample ansible.cfg File

[ssh_connection]
ssh_args            = -F /dev/null -o ControlMaster=auto -o ControlPersist=60s
transfer_method     = scp
scp_extra_args      = -O
scp_if_ssh          = True

Key Sections and Options

[ssh_connection]: This section defines settings related to SSH connections, which are crucial for Ansible to communicate with remote hosts over SSH. Let’s break down the options within this section:
ssh_args: This option specifies additional arguments to pass to the SSH command. In this case, it sets the -F option to /dev/null, which means Ansible will use an empty SSH configuration file. The -o options set ControlMaster=auto and ControlPersist=60s, which enable SSH connection sharing and persistence for improved performance. transfer_method: Specifies the method Ansible should use for transferring files to remote hosts. In this example, it’s set to scp, which uses the Secure Copy Protocol for file transfers. The default value is smart which uses preferred SFTP protocol and fallback to SCP.
scp_extra_args: This option allows you to provide extra arguments to the scp command. The -O argument is used for OpenSSH versions 9.0 and above.
scp_if_ssh: A legacy option that determines whether to use the SCP method if SSH is used for file transfers instead of SFTP. In this case, it’s set to True.

Conclusion

The ansible.cfg file is vital to Ansible’s configuration, allowing users to tailor the tool to their specific needs. While this article primarily focused on the ansible.cfg file’s content, it’s crucial to stay informed about changes in related technologies, such as the deprecation of the SCP protocol since Red Hat Enterprise Linux 9 onward, to ensure the security and efficiency of your automation workflows. Customizing Ansible’s configuration, as well as adapting to changes in underlying protocols, is essential for effective automation and system management.

Subscribe to the YouTube channel, Medium, and Website, X (formerly Twitter) to not miss the next episode of the Ansible Pilot.

Academy

Learn the Ansible automation technology with some real-life examples in my Udemy 300+ Lessons Video Course.

BUY the Complete Udemy 300+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

BUY the Complete PDF BOOK to easily Copy and Paste the 250+ Ansible code

Donate

Want to keep this project going? Please donate

Patreon Buy me a Pizza