Ansible Configuration File ansible.cfg for OpenSSH SCP Option
A Deep Dive into Ansible’s Custom Configuration for Secure File Transfers
Ansible is a powerful open-source automation tool used for configuration management, application deployment, and task automation. It simplifies the management of complex IT infrastructure by allowing you to define tasks and configurations as code. One crucial aspect of Ansible’s functionality is its configuration file, ansible.cfg. This file serves as a central point for configuring various settings and options for Ansible. In this article, we will explore the content of a sample ansible.cfg file and explain its key sections.
OpenSSH Security Implications
It’s important to note that the following sample ansible.cfg file mentioned a change in OpenSSH since Red Hat Enterprise Linux (RHEL) 9 onward regarding the deprecation of the SCP protocol. This change has significant security implications:
- SCP Deprecation: In RHEL 9, the SCP protocol is deprecated. The SCP command line tool now uses the SFTP protocol for file transfers by default. This change is driven by the fact that the SCP protocol is outdated and carries multiple security risks and issues.
- Use of
-OOption: Usage of the SCP protocol can be restored temporarily using the newly added
-Ooption with the SCP command. However, it’s important to be aware that this option may not be available in future major releases.
- Disabling SCP: It’s possible to completely disable the SCP protocol on a system by creating the file
/etc/ssh/disable_scp. Any attempt to use the SCP protocol on a system with this file will fail.
- Security Risks: The SCP protocol is less secure than the SFTP protocol and poses certain security risks. For example, CVE-2020–15778 is cited as one of the security vulnerabilities associated with SCP. Migration and Alternatives: If the SCP protocol change affects your system, consider upgrading to a recent version of RHEL or explore alternatives like using SFTP or rsync for file transfers, which offer better security and compatibility.
The Best Resources For Ansible
- CYBER DEALS at The Linux Foundation! Up to 65% off, and a FREE GIFT with EVERY PURCHASE! Limited Time, Don't Delay!
- Udemy: Learn Ansible Automation in 250+examples & practical lessons: Learn Ansible with some real-life examples of how to use the most common modules and Ansible Playbook
- Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
- Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
- Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
- Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
- Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
- Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
- Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
- Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
- Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
- Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
- Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios
The ansible.cfg file is a plain text configuration file that can be used to customize Ansible’s behavior. It provides a way to override default settings and adapt Ansible to specific use cases and environments. The file is typically located in the /etc/ansible/ directory on a Linux system. However, you can also create a custom ansible.cfg file in your project directory to apply configuration settings specifically to that project.
In this article, we’ll dissect a sample ansible.cfg file to understand its different sections and the options it contains.
Sample ansible.cfg File
[ssh_connection] ssh_args = -F /dev/null -o ControlMaster=auto -o ControlPersist=60s transfer_method = scp scp_extra_args = -O scp_if_ssh = True
Key Sections and Options
[ssh_connection]: This section defines settings related to SSH connections, which are crucial for Ansible to communicate with remote hosts over SSH. Let’s break down the options within this section:
ssh_args: This option specifies additional arguments to pass to the SSH command. In this case, it sets the
/dev/null, which means Ansible will use an empty SSH configuration file. The
ControlMaster=auto and ControlPersist=60s, which enable SSH connection sharing and persistence for improved performance. transfer_method: Specifies the method Ansible should use for transferring files to remote hosts. In this example, it’s set to
scp, which uses the Secure Copy Protocol for file transfers. The default value is smart which uses preferred SFTP protocol and fallback to SCP.
scp_extra_args: This option allows you to provide extra arguments to the scp command. The
-Oargument is used for OpenSSH versions 9.0 and above.
scp_if_ssh: A legacy option that determines whether to use the SCP method if SSH is used for file transfers instead of SFTP. In this case, it’s set to True.
The ansible.cfg file is vital to Ansible’s configuration, allowing users to tailor the tool to their specific needs. While this article primarily focused on the ansible.cfg file’s content, it’s crucial to stay informed about changes in related technologies, such as the deprecation of the SCP protocol since Red Hat Enterprise Linux 9 onward, to ensure the security and efficiency of your automation workflows. Customizing Ansible’s configuration, as well as adapting to changes in underlying protocols, is essential for effective automation and system management.Subscribe to the YouTube channel, Medium, Website, Twitter, and Substack to not miss the next episode of the Ansible Pilot.
Learn the Ansible automation technology with some real-life examples in my
My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
Want to keep this project going? Please donate