Best alternative to SSH in Ansible? - ansible

I want to connect to a remote host machine on both Linux and Windows without SSH, using an Ansible playbook. Is there any way to do that?

As per the documentation it is possible to extend Ansible with a connection plugin such as SNMP or message bus. You can get a list of possible connection plugins with the command below.
ansible-doc -t connection -l
For Windows, usually WinRM is used. SSH does also work on Windows and takes less effort to set up securely in my opinion.
When using WinRM you have a few options, the one that you should use depends on the type of environment. Depending on what option you use, it can take some effort to set up properly.
Basic Authentication (generally insecure, not recommended);
Certificate Authentication (similar to SSH keys);
NTLM (older protocol that supports domain users);
Kerberos (generally recommended when running in a domain environment).
CredSSP (supports stuff like credential delegation)
Generally I would recommend SSH for Linux, it's easy to set up and secure. Your question does not specify why you can not use SSH, so I can't advise on that.

Related

Is there a way to remote debug on a different subnet in Visual Studio?

I have a client who is remote. I need to debug some weird problem that none of my other clients are having. Before I try and set up a conference with this client, I would like to know if there is some way of remotely debugging our application.
I see that there are remote debugging tools available for Visual Studio, but from what I've read, I need to be on the same subnet. As the person is remote, this is not a possibility. Also, as I'd like to keep our connection secure, I would need to connect up some sort of encrypted tunnel (this is where I'm a little fuzzy as my networking skills are mostly theoretical).
As I understand it, an encrypted tunnel is a bridge to another (different) subnet. This is to ensure that those computers on the other side won't interfere with the local subnet computers.
So, because the client's computer is on a different subnet, I think that this is not possible. Or is it? Should there not be a way of making the client's computer show up as a virtual computer on my subnet, by forwarding packets from one subnet to another? I would think that this is theoretically possible, but I'm not exactly sure how I would go about this.
Also, at the moment, my current way that we connect to clients is through GoToMeeting, but I don't think that it supports tunneling. If not, then I may need some way of generating a tunnel, so I was also thinking of maybe using some SSH programme like PuTTY.
As I have said before, my knowledge of networking is quite theoretical, so if the tools that I am suggesting are not the correct ones, please correct me. (I'm a programmer, damm it! Not a network engineer!)
Both computers are Windows boxes. Windows 10 (client) and Windows 8.1 (development).
If you can connect to an ssh server in the remote network, you can (subject to configuration on the server) create a tunnel such that you connect to a socket on your local pic and the connection appears from the server to an endpoint on the remote network.
You'll want to investigate the -L command of OpenSSH, which combined with the PuTTY docs, should help explain what's required.
By default, the endpoint would be a port on the ssh server, but it could be a port on a different host that the remote server can connect to.
I'm not familiar with the current state of Windows SSH servers, but even if there isn't a system server to hand, you should be able to have on run 'on demand' - if you run it on a non-privileged port and by the user you want to connect in as, it shouldn't even need Admin privileges.
I'm not familiar with GoToMeeting, but the one thing with SSH tunnelling it that IT depts should be familiar with SSH. If trying that, focus on getting a working connection in, then setting up the tunnel, then connecting through it as separate steps.
Once you have an SSH connection, then it doesn't need to do something itself, and you can then investigate connecting while specifying the port forwarding, but will will need to get the basic connection working correctly first.

Bind Mac (10.10.2) to Active Directory through SSH tunnel

I am attempting to Bind my Mac to a University AD server through an SSH tunnel. I have successfully created the tunnel and can access the directory by ldapsearch using the address localhost:389
The problem is that I wish to bind the computer through either the Directory Utility or dsconfigad but I get an error:
dsconfigad: Authentication server could not be contacted. (5200)
Could it be because I need to port forward more ports than just 389? or would it be a limitation put in place by the Directory Admins?
Active Directory is far more than LDAP - at the very least you'd need Kerberos, but it also tightly integrates with DNS (both SRV and A records), which'd require significant trickiness to fake over an SSL connection.
Realistically, I think you're going to need (at least) a full VPN connection to do this.

How to secure access to neo4j remote shell?

I am running neo4j as embedded service in Jetty / webapp, but for support purposes I need shell access to it. I can enable remote shell using approach described here, but because I am using a shared hosting this does not feel secure enough, I would prefer some additional protection, e.g. username/password. Is that possible? Neo4j docs on securing the server only seem to apply to the web admin interface.
There is no authentication in remote shell.
The way to secure access is to protect the remote shell port using iptables and access the shell from outside using ssh port forwarding or a vpn.
If running in a shared hosting environment you need to take care that the remote shell port is not accessible by others. This can be done e.g. by running Neo4j in a lxc container e.g. using docker.io.
And if you run server, you can use the REST based endpoint for the Neo4j shell which is also protected by the basic-auth user authentication that you can put in front of the server.
E.g. by something like this:
https://gist.github.com/jexp/8213614

What are some options for securing redis db?

I'm running Redis locally and have multiple machines communicating with redis on the same port -- any suggestions for good ways to lock down access to Redis? The database is run on Mac OS X. Thank you.
Edit: This is assuming I do not want to use the built-in (non backwards compatible) Redis requirepass directive in the config.
On EC2 we lock down the machines that can make requests to the redis port on our redis box to only be our app box (we also only use it to store non-sensitive data).
Another option could be to not open up the redis port externally, but require doing port forwarding through an ssh tunnel. Then you could only allow requests coming through the tunnel and only allow ssh with a known key.
You'd pay the ssh penalty, but maybe that's ok for your scenario.
There is a simple requirepass directive in the configuration file which allow access only to clients who authenticate through AUTH command. I recommend to read docs on this command, namely the "note" section.

no password ssh auth in new amazon instances

I have a script that interact with an external host with rsync/ssh.
SSH prompts me to confirm the authenticity of the host like this:
The authenticity of host 'xxxxxxxxxxxxxxxxxx' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Are you sure you want to continue connecting (yes/no)?
Since every EC2 instance is a new host, I have to confirm this every time, but I want an automatic script without any user input. What is the best solution?
I know I can add -O StrictHostKeyChecking=no , but that would make external host insecure.
EDIT ! : is it possible to use my PEM file to authenticate in other servers ? I mean, mayb installing something in the external server and connect in the same way I do with instances and the PEM file
Thank you
You could try to use expect:
Expect is a Unix automation and
testing tool, written by Don Libes as
an extension to the Tcl scripting
language, for interactive applications
such as telnet, ftp, passwd, fsck,
rlogin, tip, ssh, and others. It uses
Unix pseudo terminals to wrap up
subprocesses transparently, allowing
the automation of arbitrary
applications that are accessed over a
terminal.
Although you might have some challenge to make it work in those cases where you connect to the same IP for a non-first time and ssh will not ask.
I think this article verify-ssh-keys-on-ec2-instances might have the information you need, or at least a starting point to scripting something.

Resources