From bcc863490774b11bfaec1be53c23725b9e756fb1 Mon Sep 17 00:00:00 2001 From: Phil Nelson Date: Sat, 9 Jul 2016 16:52:21 -0600 Subject: [PATCH] Trellis: Switch to automated handling of user passwords --- trellis/passwords.md | 16 +++++++++++----- trellis/security.md | 26 ++++---------------------- 2 files changed, 15 insertions(+), 27 deletions(-) diff --git a/trellis/passwords.md b/trellis/passwords.md index b6c5c40e..7f47ba15 100644 --- a/trellis/passwords.md +++ b/trellis/passwords.md @@ -16,13 +16,19 @@ publish_to_discourse: --- There are a few places you'll want to set/change passwords: -* `group_vars//vault.yml` - `vault_mysql_root_password` -* `group_vars//vault.yml` - `vault_sudoer_passwords` -* `group_vars/development/vault.yml` - `vault_wordpress_sites.admin_password` -* `group_vars//vault.yml` - `vault_wordpress_sites.env.db_password` +`group_vars//vault.yml` +* `vault_mysql_root_password` +* `vault_users.*.password` +* `vault_wordpress_sites.*.env.db_password` + +`group_vars/development/vault.yml` +* `vault_wordpress_sites.admin_password` + +`group_vars/all/vault.yml` +* `vault_mail_password` For staging/production environments, it's best to randomly generate longer passwords using something like [random.org](http://www.random.org/passwords/). You may be concerned about setting plaintext passwords in a Git repository, and you should be. We strongly recommend you encrypt these passwords before committing them to your repo. Trellis is structured to make it easy to enable [Ansible Vault](https://roots.io/trellis/docs/vault/) to encrypt select files. Alternatively, you could try an option such as [Git Encrypt](https://github.com/shadowhand/git-encrypt). -Note: Any type of server configs such as this playbook should always be in a **private** Git repository. \ No newline at end of file +Note: Any type of server configs such as this playbook should always be in a **private** Git repository. diff --git a/trellis/security.md b/trellis/security.md index b7efb15b..e4601032 100644 --- a/trellis/security.md +++ b/trellis/security.md @@ -16,32 +16,14 @@ publish_to_discourse: --- ## Locking down root -The `sshd` role heightens your server's security by providing better SSH defaults, disabling password authentication for SSH access, and optionally disabling SSH `root` login. To disable `root` login: - -* Set `sshd_permit_root_login: false` in `group_vars/all/security.yml` -* Set a sudoer password for the `admin_user` user (see below) -* Run the `server.yml` playbook (see note about `--ask-become-pass` in "Admin User" section below) - -You may toggle `sshd_permit_root_login` between `true` or `false` on a server that is already provisioned. +The `sshd` role heightens your server's security by providing better SSH defaults. SSH password authentication will be disabled. We encourage you to disable SSH `root` login as well. You may adjust these two particular options in `group_vars/all/security.yml`. ## Admin user -When you set `sshd_permit_root_login: false` and run the `server.yml` playbook, it will connect as `root` one final time and disable `root` login. On subsequent runs, `server.yml` will connect as the `admin_user` defined in `group_vars/all/users.yml` (default `admin`). - -With `root` login disabled, the `admin_user` will need to run commands using `sudo` with a password, so you will need to add the option [`--ask-become-pass`](http://docs.ansible.com/ansible/become.html#new-ansible-variables) when running `server.yml`. -``` -ansible-playbook server.yml -e env=production --ask-become-pass -``` -This prompts you to enter the sudoer password described in the "Admin User Sudoer Password" section below. See the [SSH Keys docs](https://roots.io/trellis/docs/ssh-keys/) for more information about Trellis SSH users. +The first provision via the `server.yml` playbook will create the `admin_user` and set up related [SSH Keys](https://roots.io/trellis/docs/ssh-keys/). If you disable `root` login, subsequent connections will be made as the `admin_user`. ## Admin user sudoer password -While `server.yml` provisions your server as the `admin_user`, it will perform some operations using `sudo` with a password. You will need to set the sudoer password for `admin` in the list of `vault_sudoer_passwords` defined in `group_vars//vault.yml`. Here is an example: - -```yaml -vault_sudoer_passwords: - admin: $6$rounds=100000$JUkj1d3hCa6uFp6R$3rZ8jImyCpTP40e4I5APx7SbBvDCM8fB6GP/IGOrsk/GEUTUhl1i/Q2JNOpj9ashLpkgaCxqMqbFKdZdmAh26/ - another_user: $6$rounds=100000$r3ZZsk/uc31cAxQT$YHMkmKrwgXr3u1YgrSvg0wHZg5IM6MLEzqOraIXqh5o7aWshxD.QaNeCcUX3KInqzTqaqN3qzo9nvc/QI0M1C. -``` +If `root` login is disabled and the `server.yml` playbook connects as the `admin_user`, it will invoke `sudo` using the password in `vault_users` (`group_vars//vault.yml`). If you run the playbook with `--ask-become-pass`, Trellis will use the password you enter via the CLI. You are strongly encouraged to protect the sensitive `vault_users` information by enabling Ansible [Vault](https://roots.io/trellis/docs/vault/). -The passwords were generated using the python command [found here](http://docs.ansible.com/faq.html#how-do-i-generate-crypted-passwords-for-the-user-module). The passwords generated here are `example_password` and `another_password`, respectively. The ansible user module doesn't handle any encryption and passwords must be encrypted beforehand. It's also recommended `group_vars//vault.yml` be encrypted using [Ansible Vault](https://roots.io/trellis/docs/vault/). \ No newline at end of file +The `vault_sudoer_passwords` dictionary is no longer used, having been replaced by `vault_users` in [roots/trellis#614](https://github.com/roots/trellis/pull/614). Convert to the new variable format by inserting the raw (unhashed) password for each user into `vault_users`. The new format frees you from having to manually hash your passwords and from having to use the `--ask-become-pass` CLI option.