Ansible - Privilege Escalation

 
Ansible - Privilege Escalation
- ssh key
- AWS instance as a managed node
- sudo



Linux OS -> root - full access - full power -> Privilege
Disable root login because of security


# useradd sam; passwd sam

You can use this account to login to your system.

give user extra power -> by -> privilege escalation - by using sudo



Control Node (CN) -> PB -> package -> connect to TN using ssh.

Target Node (TN) -> No root, create a user sam and give full access
# visudo
sam ALL=(ALL)    ALL


Inventory file
# cat /root/myhosts
[myweb]
192.
ansible_user=sam ansible_sssh_pass=q ansible

[myweb]
worker1 ansible_user=sam ansible_ssh_pass=q ansible_connection=ssh
worker2 ansible_user=sam ansible_ssh_pass=changeme ansible_connection=ssh


# ansible myweb - package -a "name=httpd state=present"
This command will fail.

The reason is:
- go to visudo and give sam user extra power
- and become root to run this command.

# ansible myweb - -m command -a id
This command is successful as a user sam.

but we are talking about previlege escalation

how do we do it?

1. First login with other use but don't run it as a normal user sam.
# ansible -h | grep become

look for become option.

# ansible 192.168.10.20 -m command -a id --become --become-user root --become-methos sudo

# ansible-doc -t become -l

# ansible 192.168.10.20 -m command -a id --become --become-user root --become-methos sudo --ask-become-pass


[root@master ~]# ansible worker1 -m package -a "name=httpd state=present" --become ---become-user root --become-methos sudo --ask-become-pass



Go to ansible conf file and add following conent

[ privilege_escalation]
become=true
become_methos=sudo
become_user=root
become_ask_pass=true # ask pw, false will not prompt for pw.
but yo have to edit sudoers file ...
sam all=all    nopasswd:all


Since you write on your conf file, now, you can supply

ansible worker1 -m  command -a id --become --become-user root --become-method sudo --ask-become-pass

ansible worker1  -m command -a id



In case of EC2 -> We never login as root user. ec2-user

on your inventory @control node, you can't use user=root since it is disable
so, you have to use normal user with sudo power.
so login as ec2-user and run the command as root. so become is use ful...



keys or ssh-key
--------------

ssh to remove system
- ask you for username/pw

you create key
- private key
- public key

take public key to other nodes

On control node run
$ ssh-keygen

it will generate two keys
you never share your private key but share your public key

If user @other end accepts your putblic key, and you inititate adn ssh connection
to remote machine, you can login without password

To share your pubic ckey
$ ssh-copy-id sam@remove-host

Now, login
$ ssh user@remove-host

you are logged in without pw...

# cat .ssh/id.rsa -> private key

CN
- create a VM
- Create an inventory file
   ip address -> user -> pw/ssh-private-key  (download the key and upload on your cn)

GOOGLE FOR ANSIBLE INVENTORY FILE

ansible_ssh_private_key_file ...
review other options

from your laptop -> login to aws EC2 and run ansible ad-hoc commands..
you don't have to configure anything since the use comes with sodo access..