Introduction

Ansible is a powerful open-source automation tool used for configuration management, application deployment, and task automation. It simplifies the management of complex IT infrastructure by allowing you to define tasks and configurations as code. One crucial aspect of Ansible’s functionality is its configuration file, ansible.cfg. This file serves as a central point for configuring various settings and options for Ansible. In this article, we will explore the content of a sample ansible.cfg file and explain its key sections.

OpenSSH Security Implications

It’s important to note that the following sample ansible.cfg file mentioned a change in OpenSSH since Red Hat Enterprise Linux (RHEL) 9 onward regarding the deprecation of the SCP protocol. This change has significant security implications:

  • SCP Deprecation: In RHEL 9, the SCP protocol is deprecated. The SCP command line tool now uses the SFTP protocol for file transfers by default. This change is driven by the fact that the SCP protocol is outdated and carries multiple security risks and issues.
  • Use of -O Option: Usage of the SCP protocol can be restored temporarily using the newly added -O option with the SCP command. However, it’s important to be aware that this option may not be available in future major releases.
  • Disabling SCP: It’s possible to completely disable the SCP protocol on a system by creating the file /etc/ssh/disable_scp. Any attempt to use the SCP protocol on a system with this file will fail.
  • Security Risks: The SCP protocol is less secure than the SFTP protocol and poses certain security risks. For example, CVE-2020–15778 is cited as one of the security vulnerabilities associated with SCP.

Migration and Alternatives: If the SCP protocol change affects your system, consider upgrading to a recent version of RHEL or explore alternatives like using SFTP or rsync for file transfers, which offer better security and compatibility.

Links

  • https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html
  • https://nvd.nist.gov/vuln/detail/CVE-2020-1577

Understanding ansible.cfg

The ansible.cfg file is a plain text configuration file that can be used to customize Ansible’s behavior. It provides a way to override default settings and adapt Ansible to specific use cases and environments. The file is typically located in the /etc/ansible/ directory on a Linux system. However, you can also create a custom ansible.cfg file in your project directory to apply configuration settings specifically to that project.

In this article, we’ll dissect a sample ansible.cfg file to understand its different sections and the options it contains.

Sample ansible.cfg File

``ini

[ssh_connection]

ssh_args = -F /dev/null -o ControlMaster=auto -o ControlPersist=60s

transfer_method = scp

scp_extra_args = -O

scp_if_ssh = True

`

Key Sections and Options

  • [ssh_connection]`: This section defines settings related