Ansible Configuration File ansible.cfg for OpenSSH SCP Option

A Deep Dive into Ansible’s Custom Configuration for Secure File Transfers

October 4, 2023

Introduction

Ansible is a powerful open-source automation tool used for configuration management, application deployment, and task automation. It simplifies the management of complex IT infrastructure by allowing you to define tasks and configurations as code. One crucial aspect of Ansible’s functionality is its configuration file, ansible.cfg. This file serves as a central point for configuring various settings and options for Ansible. In this article, we will explore the content of a sample ansible.cfg file and explain its key sections.

OpenSSH Security Implications

It’s important to note that the following sample ansible.cfg file mentioned a change in OpenSSH since Red Hat Enterprise Linux (RHEL) 9 onward regarding the deprecation of the SCP protocol. This change has significant security implications:

• SCP Deprecation: In RHEL 9, the SCP protocol is deprecated. The SCP command line tool now uses the SFTP protocol for file transfers by default. This change is driven by the fact that the SCP protocol is outdated and carries multiple security risks and issues.
• Use of -O Option: Usage of the SCP protocol can be restored temporarily using the newly added -O option with the SCP command. However, it’s important to be aware that this option may not be available in future major releases.
• Disabling SCP: It’s possible to completely disable the SCP protocol on a system by creating the file /etc/ssh/disable_scp. Any attempt to use the SCP protocol on a system with this file will fail.
• Security Risks: The SCP protocol is less secure than the SFTP protocol and poses certain security risks. For example, CVE-2020–15778 is cited as one of the security vulnerabilities associated with SCP. Migration and Alternatives: If the SCP protocol change affects your system, consider upgrading to a recent version of RHEL or explore alternatives like using SFTP or rsync for file transfers, which offer better security and compatibility.

Links

• https://docs.ansible.com/ansible/latest/collections/ansible/builtin/ssh_connection.html
• https://nvd.nist.gov/vuln/detail/CVE-2020-1577

The Best Resources For Ansible

Certifications

• The Linux Foundation Linux Performance Tuning - Build a broad toolkit to optimize Linux performance from the kernel up

• Coursera Pro - Unlimited access to 7,000+ world-class courses, hands-on projects, and job-ready certificate programs—all included in your subscription

Video Course

• Udemy: Learn Ansible Automation in 250+examples & practical lessons: Learn Ansible with some real-life examples of how to use the most common modules and Ansible Playbook

Printed Book

• Ansible For VMware by Examples
  Buy on Amazon Buy on Apress
• Ansible for Kubernetes by Example
  Buy on Amazon Buy on Apress
• Hands-on Ansible Automation
  Buy on Amazon Buy on BPB
• Red Hat Ansible Automation Platform
  Buy on Amazon Buy on BPB

eBooks

• Buy on Leanpub Ansible by Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps
• Buy on Leanpub Ansible Cookbook: A Comprehensive Guide to Unleashing the Power of Ansible via Best Practices, Troubleshooting, and Linting Rules with Luca Berton
• Buy on Leanpub Terraform By Example: A Practical Approach for Beginners to Learn Cloud Infrastructure with Terraform
• Buy on Leanpub Ansible For Windows By Examples: 50+ Automation Examples For Windows System Administrator And DevOps
• Buy on Leanpub Ansible For Linux by Examples: 100+ Automation Examples For Linux System Administrator and DevOps
• Buy on Leanpub Ansible Linux Filesystem By Examples: 40+ Automation Examples on Linux File and Directory Operation for Modern IT Infrastructure
• Buy on Leanpub Ansible For Security by Examples: 100+ Automation Examples to Automate Security and Verify Compliance for IT Modern Infrastructure
• Buy on Leanpub Ansible Tips and Tricks: 10+ Ansible Examples to Save Time and Automate More Tasks
• Buy on Leanpub Ansible Linux Users & Groups By Examples: 20+ Automation Examples on Linux Users and Groups Operation for Modern IT Infrastructure
• Buy on Leanpub Ansible For PostgreSQL by Examples: 10+ Examples To Automate Your PostgreSQL database
• Buy on Leanpub Ansible For Amazon Web Services AWS By Examples: 10+ Examples To Automate Your AWS Modern Infrastructure
• Buy on Leanpub Ansible Automation Platform By Example: A step-by-step guide for the most common user scenarios

Understanding ansible.cfg

The ansible.cfg file is a plain text configuration file that can be used to customize Ansible’s behavior. It provides a way to override default settings and adapt Ansible to specific use cases and environments. The file is typically located in the /etc/ansible/ directory on a Linux system. However, you can also create a custom ansible.cfg file in your project directory to apply configuration settings specifically to that project.

In this article, we’ll dissect a sample ansible.cfg file to understand its different sections and the options it contains.

Sample ansible.cfg File

[ssh_connection]
ssh_args            = -F /dev/null -o ControlMaster=auto -o ControlPersist=60s
transfer_method     = scp
scp_extra_args      = -O
scp_if_ssh          = True

Key Sections and Options

• [ssh_connection]: This section defines settings related to SSH connections, which are crucial for Ansible to communicate with remote hosts over SSH. Let’s break down the options within this section:

• ssh_args: This option specifies additional arguments to pass to the SSH command. In this case, it sets the -F option to /dev/null, which means Ansible will use an empty SSH configuration file. The -o options set ControlMaster=auto and ControlPersist=60s, which enable SSH connection sharing and persistence for improved performance. transfer_method: Specifies the method Ansible should use for transferring files to remote hosts. In this example, it’s set to scp, which uses the Secure Copy Protocol for file transfers. The default value is smart which uses preferred SFTP protocol and fallback to SCP.

• scp_extra_args: This option allows you to provide extra arguments to the scp command. The -O argument is used for OpenSSH versions 9.0 and above.

• scp_if_ssh: A legacy option that determines whether to use the SCP method if SSH is used for file transfers instead of SFTP. In this case, it’s set to True.

Conclusion

The ansible.cfg file is vital to Ansible’s configuration, allowing users to tailor the tool to their specific needs. While this article primarily focused on the ansible.cfg file’s content, it’s crucial to stay informed about changes in related technologies, such as the deprecation of the SCP protocol since Red Hat Enterprise Linux 9 onward, to ensure the security and efficiency of your automation workflows. Customizing Ansible’s configuration, as well as adapting to changes in underlying protocols, is essential for effective automation and system management.

Academy

Learn the Ansible automation technology with some real-life examples in my 200+ Lessons Video Course

My book Ansible By Examples: 200+ Automation Examples For Linux and Windows System Administrator and DevOps

Donate

Want to keep this project going? Please donate

Patreon Buy me a Pizza